CardioComm Solutions, a Canadian medical provider of consumer heart monitoring and medical ECG software solutions, has disclosed a cybersecurity incident on Tuesday that occurred on the company’s servers.
To address the situation, CardioComm said it is collaborating closely with KPMG-EGYDE, relevant authorities and third-party cybersecurity experts.
The company assures its customers that there is no evidence suggesting a compromise of their health information, as their software operates on individual client-server environments, and they do not collect patient health data.
“The CardioComm attack is alarming for several reasons, not just for the potential compromise of customers’ health information or employee personal information,” warned Avishai Avivi, CISO at SafeBreach.
“If the malicious actors manage to gain access to the development environment at CardioComm Solutions, they may be able to find a way to tamper with the ECG test results or even disrupt the services using specific attacks against them, rather than leveraging normal security controls.”
Beyond the privacy and health implications of the breach, the incident has impacted CardioComm’s business operations, which may last several days until data is restored and server environments are fully re-established. The firm’s website is unavailable at the time of writing.
Additionally, several of CardioComm’s products are impacted by the outage. These include HeartCheck CardiBeat, a handheld ECG monitor connecting to smartphones via Bluetooth, enabling users to transmit results to physicians, clinics or CardioComm’s SMART monitoring ECG service.
Services like Global Cardio 3 software, used in medical diagnostics for recording patient ECGs and creating reports, and CardioComm’s Home Flex software for uploading and sharing heart readings, are also affected.
The complete scope of the outage and its implications for consumers relying on these devices for at-home testing remains uncertain.
“This certainly appears to be the result of a ransomware attack, which impacted customer-facing services,” said Erich Kron, security awareness advocate at KnowBe4.
“This could be why the organization is not sharing the details of the attack. While this is inconvenient for the organization, for those relying on its services, which include ECG monitors and other heart-related medical services, this could be very concerning.”
CardioComm said it will continue to provide updates as the situation develops.