Heart monitoring technology provider confirms cyberattack

A provider of technology for heart monitoring and medical electrocardiograms confirmed on Wednesday that it was responding to a cyberattack on its systems.

The website for the company, CardioComm, was down as of Wednesday afternoon. The incident was first reported by TechCrunch.

The Canada-based company sells products for recording, viewing, analyzing and storing electrocardiograms (ECGs) for diagnosis and management of cardiac patients.

CardioComm notes on a temporary webpage that all of its online services were down as it worked to resolve the issue. There’s a phone number for those in need.

Representatives for the company did not respond to requests for comment about whether it was a ransomware attack. In a statement, CardioComm said that the incident appears to be limited to its own servers.

“There is no evidence that customers' health information was compromised as a result of this attack since CardioComm's software is designed to run on each client's own server environments,” the company said. “Further, CardioComm does not collect patient health information from its clients. The Company has initiated identity theft precautions should any employee personal information have been compromised to minimize the impact on its staff.”

The company said it is launching an investigation with “relevant authorities” and cybersecurity experts to determine the “source and extent of any data breach.”

“CardioComm's business operations will be impacted for several days and potentially longer depending how quickly the Company is able to restore its data and re-establishes its production server environments,” the statement said.

The products affected include Global Cardio 3 — which is used to record patient electrocardiograms (ECGs), create ECG reports and send them to doctors — as well as the company's GEMS Flex 12 and GEMS Home Flex upload.

The outage also impacted The HeartCheck CardiBeat, a small handheld ECG monitor that can capture a wide range of arrhythmias such as tachycardia and atrial fibrillation. The device will not be able to record and upload data, the company said.

The GEMS Mobile ECG app is also unable to record and upload data.

CardioComm is the first company to receive Canadian and American medical device clearances to sell handheld ECG monitors directly to consumers.

Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA) warned of a severe vulnerability in a cardiac device from medical device company Medtronic.

In September, the FBI warned that hundreds of vulnerabilities in widely used medical devices are leaving a door open for cyberattacks.

The FBI specifically cited vulnerabilities found in intracardiac defibrillators, mobile cardiac telemetry and pacemakers, noting that malicious hackers could take over the devices and change readings, administer drug overdoses, or “otherwise endanger patient health.”