Healthcare — third-party exposure and a 16-month notification gap

Healthcare breaches this week were dominated by third-party and disclosure-timing failures rather than direct perimeter compromise. iRhythm filed an SEC 8-K reporting data theft via social engineering of a third-party-hosted application (SEC 8-K, 2026-06-15; daily 06-16). HCRG Care Group began notifying patients in June 2026 of a Medusa ransomware attack that occurred in February 2025 — a 16-month gap between incident and notification (HIPAA Pulse, 2026-06-20; daily 06-21). Amazon's One Medical confirmed a legacy-storage breach (§ 2). The defender takeaway: most healthcare exposure this week entered through suppliers and legacy systems, not the front door.