Back to all insights
HealthcareThird-Party RiskHIPAAVendor RiskBAAs

When Your PHI Lives in a Vendor's Cloud App: Lessons From the iRhythm Breach

Edward Stratton · · 4 min read

The data your practice is responsible for rarely sits in one place anymore. It lives in your EHR, your billing platform, your scheduling tool, your patient-engagement app — and in the cloud applications those vendors run on your behalf. A breach this week is a clean reminder that “we never touched our own network” is not the same as “our patients’ data is safe.”

On June 16, 2026, digital cardiac-monitoring company iRhythm Holdings disclosed a data breach after attackers stole patients’ personal and health information. According to BleepingComputer’s reporting, the stolen data was held on “third-party-hosted business applications,” and the attackers “gained access to the data through social engineering.” iRhythm said a threat actor contacted the company on June 9 demanding payment to keep the information private, and that it determined the incident was material on June 10 given the volume of data involved. Notably, the company said it has no evidence the breach affected its clinical or medical-device systems, patient safety, or financial-reporting systems, and that it does not store patients’ payment-card information.

Why a cloud-app breach is still your problem

iRhythm is a large company — its service has analyzed heartbeat data from over 12 million patients, per BleepingComputer — but the mechanics of this incident are exactly what scales down to a small practice. The data was not lost from a server in iRhythm’s own data center. It was taken from business applications a vendor hosts, and the attackers got in by talking their way past a human, not by breaking encryption.

Small practices run on the same model. Your patient data flows through cloud apps you do not host and cannot directly defend. When one of those apps is breached, your network logs will show nothing wrong — and yet the protected health information you are accountable for may already be on a leak site.

A breach in a vendor’s cloud does not move your patients’ trust to the vendor. To the patient, your practice is still the face of their care — and their first phone call.

What to do when a vendor’s cloud app is breached

This is where the team-effort view of security earns its keep. A few level-headed steps:

  1. Confirm exposure from the source, not the headlines. Ask the vendor for their official notice and a clear statement of what data was involved and which of your patients are affected. Do not relay rumor to patients.
  2. Know your notification clock. If you are a covered entity and your patients’ PHI was exposed through a business associate, HIPAA breach-notification duties can still run to you. Confirm who notifies whom — and by when — before the deadline, not after.
  3. Prepare the front desk for social engineering. The same tactic that breached the vendor will be aimed at your staff and patients next. Brief everyone to slow down on urgent requests and verify through a known, on-file channel before clicking or paying.
  4. Check your paperwork. A breach is the moment to confirm your BAAs are current and cover the right vendors, and that you have a rehearsed incident-response habit rather than a scramble.

The Byzantine takeaway

You cannot patch a vendor’s cloud, but you can decide how prepared your practice is when one of them is breached. The iRhythm incident — data in third-party apps, taken through social engineering — is the ordinary shape of a modern healthcare breach, not an exotic one. Practices that handle it well already treat their vendors’ clouds as part of their own third-party risk picture, with a plan and a few calm conversations rehearsed before the phones ring. None of that requires an enterprise budget.

For the full details of the incident, read BleepingComputer’s coverage. If you want help mapping which of your vendors’ apps hold patient data, that is a conversation worth having as a team — which is how we think security should work.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

June 19, 2026·11 min read

Who Secures Your Patient Data in the Cloud? The Shared Responsibility Model for Healthcare SaaS

A practical shared-responsibility guide for healthcare practices using SaaS: who secures the platform, what you must configure, and where HIPAA fits today.
June 16, 2026·14 min read

Weave App Blank Screen on Meraki: A Content-Filtering Fix

When the Weave app loads a blank screen on a Meraki network, content filtering is usually the cause. A firsthand diagnosis, the allowlist fix, and a checklist.
June 15, 2026·12 min read

Who Needs to Sign Your BAA? A Practical Guide for MSPs

Why 'conduit exempt' rarely applies to MSP vendors, which downstream tools actually need BAAs, and how to build a defensible healthcare vendor BAA program.