Back to Intelligence

iRhythm Data Breach: Defending Third-Party Healthcare Applications Against Data Theft

SA
Security Arsenal Team
June 16, 2026
6 min read

Digital healthcare provider iRhythm Holdings has confirmed a significant data breach impacting patient privacy. Attackers successfully exfiltrated Personal Identifiable Information (PII) and Protected Health Information (PHI) hosted on third-party business applications. This incident underscores a critical reality for healthcare defenders: the perimeter is no longer defined by your firewall, but by the security posture of your supply chain.

For security practitioners, this is not just a headline; it is an active indicator of risk. The theft of PHI triggers high-severity regulatory implications under HIPAA and creates immediate downstream risks for patients via phishing and identity theft. Defenders must assume that credentials or session tokens for third-party SaaS platforms are currently being auctioned or traded in criminal forums and act accordingly.

Technical Analysis

Affected Environment: Third-party-hosted business applications (SaaS) utilized by iRhythm for storing and managing patient data.

Attack Vector: While the specific vulnerability (CVE) was not disclosed in the initial report, breaches of this nature typically involve:

  1. Credential Stuffing/Token Theft: Utilizing compromised credentials or session hijacking to access legitimate portals.
  2. Misconfigured Access: Excessive permissions granted to third-party integrations or internal users within the hosted application.
  3. API Abuse: Automated scraping of data via poorly secured API endpoints.

Impact: The confirmed exfiltration of patient names, medical data, and other PII. The "active exploitation" status is confirmed by the vendor's disclosure of the theft.

Defensive Gap: Traditional EDR and NDR solutions often lack visibility into data movement within third-party hosted web applications. The "attack" occurs over valid SSL/TLS channels using authenticated API calls or web sessions, making it indistinguishable from normal administrative activity without specific logging and telemetry from the third-party provider.

Detection & Response

Given the lack of a specific CVE in the vendor disclosure, detection must focus on the behavior of data exfiltration and unauthorized access to third-party business platforms. The following rules hunt for patterns commonly associated with bulk data scraping and unauthorized automation targeting SaaS applications.

SIGMA Rules

YAML
---
title: Potential Data Exfiltration via High Volume Web Requests
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential data exfiltration by identifying processes generating a high volume of outbound HTTP/HTTPS connections to non-corporate IPs, indicative of web scraping or automated data theft.
references:
  - https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: true
    DestinationPort:
      - 80
      - 443
  filter:
    DestinationIp|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter | count(ProcessId) > 50
  timeframe: 5m
falsepositives:
  - Legitimate heavy web browsing or updates
level: high
---
title: Suspicious PowerShell Web Request Activity
id: 9b3c2d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects PowerShell processes utilizing Invoke-WebRequest or similar methods to interact with external domains, commonly used in scripts to scrape SaaS data or exfiltrate to cloud storage.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'Invoke-RestMethod'
      - 'wget'
      - 'curl'
  condition: selection
falsepositives:
  - System administration scripts
  - Software updates
level: medium

KQL (Microsoft Sentinel)

This query hunts for anomalous sign-in patterns to third-party applications, specifically looking for successful logins followed by massive data export actions or unusual user-agent strings indicative of automation.

KQL — Microsoft Sentinel / Defender
// Hunt for unusual access patterns to third-party SaaS applications
SigninLogs
| where ResultType == 0
| extend AppId = tostring(AppId)
| where AppId contains "thirdparty" or AppId contains "external" // Adjust based on known 3rd party AppIDs in your tenant
| summarize Count = count(), Locations = make_set(Location), UserAgents = make_set(UserAgent) by UserPrincipalName, AppId, bin(TimeGenerated, 1h)
| where Count > 100 // Threshold for high volume interaction
| project TimeGenerated, UserPrincipalName, AppId, Count, Locations, UserAgents
| order by Count desc

Velociraptor VQL

This artifact hunts for processes on endpoints that are actively communicating with known third-party business application domains or cloud storage endpoints, which could indicate an active exfiltration tool or script running locally.

VQL — Velociraptor
-- Hunt for processes communicating with external business platforms
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'chrome.exe' 
   OR Name =~ 'msedge.exe'
   OR Name =~ 'powershell.exe'
   OR Name =~ 'python.exe'

LET matching_connections = SELECT *
FROM netstat(pid=Pid)
WHERE RemoteAddress =~ '.*' 
   AND (RemotePort IN (443, 80))

SELECT * FROM foreach(
   query={
      SELECT Pid, Name, CommandLine, Username, RemoteAddress, RemotePort, State
      FROM matching_connections
   },
   query={
      SELECT Pid, Name, CommandLine, Username, "No Network Connection" AS RemoteAddress, 0 AS RemotePort, "N/A" AS State
      FROM scope()
   }
)

Remediation Script (PowerShell)

This script assists in auditing local endpoints for potential credential dumping artifacts or suspicious browser history related to the targeted third-party domains. It also checks for the presence of common data scraping tools.

PowerShell
# Audit Script: Check for Indicators of Credential Theft and Scraping Tools
# Requires Administrator Privileges

Write-Host "[+] Starting Third-Party Breach Audit..." -ForegroundColor Cyan

# 1. Check for common scraping tools installed
$scrapeTools = @("python", "node", "wget", "curl")
$foundTools = @()

foreach ($tool in $scrapeTools) {
    $path = Get-Command $tool -ErrorAction SilentlyContinue
    if ($path) {
        $foundTools += $path.Source
    }
}

if ($foundTools.Count -gt 0) {
    Write-Host "[!] WARNING: Potential scraping tools found:" -ForegroundColor Red
    $foundTools | ForEach-Object { Write-Host "    - $_" }
} else {
    Write-Host "[+] No common scraping tools detected in PATH." -ForegroundColor Green
}

# 2. Check for suspicious recent PowerShell script execution
$startTime = (Get-Date).AddDays(-7)
$events = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -FilterXPath "*[System[(EventID=4104) and TimeCreated[@>='$startTime']]]" -ErrorAction SilentlyContinue

if ($events) {
    Write-Host "[!] WARNING: Recent PowerShell script execution detected:" -ForegroundColor Red
    $events | Select-Object -First 5 TimeCreated, Message | Format-List
} else {
    Write-Host "[+] No recent suspicious PowerShell activity." -ForegroundColor Green
}

# 3. Audit Browser Downloads for recent executables (Common dropper)
$users = Get-ChildItem "C:\Users"
foreach ($user in $users) {
    $downloadPath = Join-Path $user.FullName "Downloads"
    if (Test-Path $downloadPath) {
        $recentDownloads = Get-ChildItem $downloadPath -File | Where-Object { $_.LastWriteTime -gt $startTime -and $_.Extension -in @('.exe', '.zip', '.js', '.ps1') }
        if ($recentDownloads) {
            Write-Host "[!] WARNING: Recent suspicious downloads in $($user.Name):" -ForegroundColor Yellow
            $recentDownloads | Select-Object Name, LastWriteTime
        }
    }
}

Write-Host "[+] Audit Complete." -ForegroundColor Cyan

Remediation

  1. Immediate Credential Reset: Force a password reset for all users with access to the affected third-party business applications. Assume session tokens are compromised.
  2. Enable/Enforce MFA: Ensure Multi-Factor Authentication (MFA) is strictly enforced for all third-party SaaS portals. Implement phishing-resistant MFA (FIDO2) where possible.
  3. Audit Third-Party Permissions: Review the OAuth grants and API permissions granted to these applications. Revoke any unnecessary "read" or "export" permissions.
  4. Vendor Communication: Contact the third-party vendor to obtain specific logs regarding the breach timeframe. Correlate these logs with internal access logs to identify the initial access vector.
  5. IP Restriction: If possible, configure IP allow-listing on the third-party application to only accept traffic from corporate VPN ranges or known static IPs.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachirhythmdata-breachthird-party-risk

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action