Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - IRTC

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

ITEM 1A. RISK FACTORS

Our short and long-term success is subject to numerous risks and uncertainties, many of which involve factors that are difficult to predict or beyond our control. Before making a decision to invest in, hold, or sell our common stock, stockholders and potential stockholders should carefully consider the risks and uncertainties described below, in addition to the other information contained in or incorporated by reference into this Annual Report on Form 10-K, as well as the other information we file with the SEC. If any of the following risks are realized, our business, financial condition, results of operations, and prospects could be materially and adversely affected. In that case, the value of our common stock could decline and stockholders may lose all or part of their investment. Furthermore, additional risks and uncertainties of which we are currently unaware, or which we currently consider to be immaterial, could have a material adverse effect on our business, financial condition, and results of operations. Refer to our disclaimer regarding forward-looking statements at the beginning of “Management’s Discussion and Analysis of Financial Condition and Results of Operations” in Part II, Item 7 of this Annual Report on Form 10-K.

Risks Related to Our Industry, Business and Operations

Reimbursement by Medicare is highly regulated and subject to change, and our failure to comply with applicable regulations, including regulations not designed for remote diagnostic tests like our iRhythm Services, could prevent us from receiving reimbursement under the Medicare program and some commercial payors, subject us to penalties, and adversely affect our reputation, business, and results of operations.

During the year ended December 31, 2025, we received approximately 24% of our total revenue from the Medicare program through CMS. The Medicare program is administered by CMS, which imposes extensive and detailed requirements on diagnostic services providers, including IDTFs. These requirements include, but are not limited to, rules that govern how we structure our relationships with physicians, how we operate our IDTFs and market our iRhythm Services, when we may perform diagnostic tests, and how and when we submit reimbursement claims.

CMS has acknowledged that the IDTF regulations were designed for “traditional” IDTFs that administer tests to patients in-person, at a single point in time, and from a single location, and only recently has CMS initiated changes to the regulations to address IDTFs like ours that furnish “indirect tests” that do not require in-person interaction and involve technicians performing computer analyses offsite or at another location. The changes, however, do not address all gaps identified by CMS relating to IDTF operations and the Medicare billing requirements. For example, CMS has not addressed billing for remote diagnostic tests that are performed from one or more IDTF or other remote locations.

In addition, many commercial payors require our IDTFs to maintain enrollment with the Medicare program as well as accreditation and certification with the Joint Commission.

We receive a substantial portion of our revenue from Medicare and third-party commercial payors with which we contract, and we cannot predict whether and to what extent existing reimbursement rates will continue to be available.

CMS updates the reimbursement rates for diagnostic tests performed by IDTFs annually via the Medicare Physician Fee Schedule. Effective January 1 of each year, CMS updates the national payment rates for the CPT codes we use to report our cardiac monitoring services: CPT code 93247 (ECG recording conducted over a period of greater than 7 days and up to 15 days), CPT code 93243 (ECG recording conducted over a period of greater than 48 hours and up to 7 days), and CPT code 93229 (mobile cardiovascular telemetry). New rates were published effective January 1, 2026, which reflect an increase in the national payment amount for CPT codes 93247, 93243, and 93229 as compared to calendar year 2025. However, there is no guarantee that these year-over-year increases will be sustained, or that payment rates will keep pace with the costs to provide our iRhythm Services in the future.

Because remote cardiac monitoring technology, including the iRhythm ACM System, is rapidly evolving, there is a continuing risk that relative value units assigned, and reimbursement rates set, by CMS may not adequately reflect the value and expense of this technology and associated monitoring services. Further, CMS may reduce the rates for the CPT codes assigned to our services in the future, which would adversely affect our financial results, particularly to the extent commercial payors with which we contract follow suit.

A commercial payor who terminates or does not renew their contract with us may, or may not, alter their coverage for the type of services we provide. In the event any of our key commercial payors terminate their agreements with us, elect not to renew or enter into new agreements with us upon expiration of their current agreements, or do not renew or establish new agreements on terms as favorable as are currently contracted, our business, operating results, and prospects would be adversely affected.

Finally, government and commercial payors have and may, in the future, consider healthcare policies and proposals intended to limit or reduce perceived increases in healthcare costs, including those that could significantly affect reimbursement for healthcare products such as our systems and services. For example, from time to time CMS or Medicare Administrative Contractors may develop National Coverage Determinations, Local Coverage Determinations (“LCDs”), or similar policies dictating the conditions for coverage and reimbursement of our iRhythm Services. For instance, in September 2025, Noridian Healthcare Solutions, LLC, Palmetto GBA, LLC, and CGS Administrators, LLC each published proposed LCDs regarding “Temporary Nontherapeutic Ambulatory Cardiac Monitoring Devices.” These proposed LCDs seek to outline the circumstances in which ambulatory cardiac monitoring is considered reasonable and necessary for Medicare purposes, device requirements, and associated coverage limitations. The proposed LCDs were subject to a public comment period that concluded in November 2025, in which iRhythm and other stakeholders had the opportunity to inform consideration of whether, and in what form, the LCDs might be adopted. The adoption of the proposed LCDs, or any other developments in the Medicare coverage policies on which the industry has come to rely, could necessitate changes to our business model, methods of operation, billing processes, and related compliance controls. Future significant changes in the healthcare systems in the United States or elsewhere could also have a negative impact on the demand for our current and future products and services.

If we are unable to expand the number of third-party commercial payors with which we contract or expand coverage for existing third-party commercial payors, our commercial success could be impacted.

There is significant uncertainty concerning third-party reimbursement of any new service until a contracted rate is established for that service with the commercial payor. Reimbursement by a commercial payor may depend on several factors, including, but not limited to, a payor’s determination that the ordered service is not experimental or investigational, medically necessary and appropriate for the specific patient, cost effective, supported by peer-reviewed publications, and accepted and used by physicians and other clinicians within their provider network.

Since each payor decides whether to establish a policy concerning reimbursement or to contract with us to set the price of reimbursement, seeking reimbursement on a payor-by-payor basis is a time-consuming and costly process to which we dedicate substantial resources.

Additionally, for our out-of-network or cash pay patients, we may be subject to state and federal surprise billing laws that impose limits on amounts that can be charged to such patients and/or the amount we can receive for out-of-network services from commercial payors as well as penalties for noncompliance.

We report to third party payors the technical components of the remote cardiac monitoring services that are performed with our Zio monitor, Zio XT, and Zio AT devices using CPT codes established by the AMA. These CPT codes are manufacturer- and technology-agnostic but describe general technical features required to support the diagnostic medical procedures represented by these billing codes. Given the nature of CPT codes, there is always some degree of risk for an entity that bills for its services that regulators or other third parties could assert that the CPT codes utilized were not appropriate, and recent regulatory developments have the potential to increase the risk of questions or inquiry regarding our use of a specific CPT code.

Regulators’ evolving understandings and definitions of certain cardiac monitoring modalities could result in assertions that our technology does not support certain diagnostic procedures described by the CPT codes that we currently use to report our iRhythm Services. For example, although FDA “Product Codes” are created and assigned by FDA to support the agency’s responsibility for regulating medical devices in the framework of device classifications designated under 21 C.F.R. Parts 862-892, Product Codes have the potential to raise questions about expectations for devices. In November 2023, FDA established a new Product Code QYX for “Outpatient Cardiac Telemetry” and retrospectively assigned Product Code QYX to several devices, including Zio AT. FDA’s “Definition” of the “Outpatient Cardiac Telemetry” devices within this Product Code references monitoring data being “transmitted to the prescribing clinician during the monitoring period by a 24/7 attended analysis center after review by a qualified individual,” which may be read as incorporating activities of an IDTF into the device. If our IDTF capabilities and performance do not align with FDA’s interpretation and expectations for Product Code QYX, a regulator or other third party could assert that the Zio AT cannot support MCT services. Any such assertion could jeopardize our ability to obtain clearances with indications and labeling that provide for the scope we planned, and our ability to submit claims for reimbursement for services utilizing Zio AT and may require us to evaluate whether we have received any overpayments that must be reported and returned to third-party payors.

Our revenue relies on our iRhythm Services, which are currently our only offerings.

Any new services may not be accepted by physicians or may merely replace revenue generated by our iRhythm Services and not generate additional revenue. If we have difficulty launching new services, our reputation may be harmed and our financial results adversely affected. In order to substantially increase our revenue, we will need to target physicians other than cardiologists, such as emergency room doctors, primary care physicians, and other physicians with whom we have had little contact and who may require a different type of marketing effort.

The market for remote cardiac monitoring solutions is highly competitive. If our competitors are able to develop or market monitoring devices and services that are more effective, or gain greater acceptance in the marketplace, than any services and related devices we develop, our commercial opportunities will be reduced or eliminated.

The market for remote cardiac monitoring products and services is competitive, characterized by rapid change resulting from technological advances, scientific discoveries, and other market activities of industry participants. Our industry is highly fragmented and characterized by a small number of large manufacturers and a large number of smaller regional service providers.

Large competitors in the remote cardiac market include companies that sell standard Holter monitors including GE Healthcare, Philips Healthcare, Mortara Instrument, Inc., Spacelabs Healthcare Inc. Additional competitors, such as BioTelemetry, Inc. (now part of Boston Scientific, Inc. These companies have also developed other patch-based cardiac monitors that have received FDA and foreign regulatory clearances. There are also several small start-up companies trying to compete in the patch-based cardiac monitoring space, as well as several entering the patch-based cardiac monitoring market.

We have also seen a trend in the market for large medical device companies to acquire, invest in, or form alliances with these smaller companies in order to diversify their product offerings and participate in the digital health space. Future competition could come from makers of wearable fitness products or large information technology companies focused on improving healthcare. These competitors and potential competitors may introduce new products and services that more directly compete with our iRhythm Services and related devices.

Failure to comply with legal, regulatory, or contractual requirements applicable to our billing and collection activities could subject us to penalties, and adversely affect our reputation, business and results of operations.

Billing for diagnostic services is complex, highly regulated, time-consuming, and expensive, and failure to comply with legal or contractual requirements applicable to our billing and collection activities could subject us to penalties, and adversely affect our reputation, business and results of operations. Depending on the billing arrangement and applicable law, we bill several types of entities and payors, including federal healthcare programs, third-party commercial payors, healthcare providers, and healthcare institutions, which may have different billing

requirements, coverage criteria, procedures, or expectations. We also bill insured patients for co-payments, co-insurance, and deductible amounts, as well as bill self-pay patients directly.

We also face risk in our collection efforts, including potential write-offs of doubtful accounts and long collection cycles, which could adversely affect our business, financial condition, and results of operations. We may also be adversely affected by the growth in patient responsibility accounts, as a result of increases in the adoption of plan structures, due to evolving health care policy and insurance landscapes, that shift greater responsibility for care to individuals through greater exclusions, prior authorizations, and co-payment and deductible amounts.

Additionally, our billing activities require us to implement compliance procedures and oversight, train and monitor our employees, subcontractors, and agents, and undertake internal review procedures to evaluate compliance with applicable laws, regulations, and internal policies. These activities require a tremendous dedication of resources and, as a result, we have engaged third-party vendors to undertake certain components of our billing and collections operations. While common in the healthcare industry, the outsourcing of billing and collections activities to third-party vendors requires diligent monitoring and oversight to ensure the completeness, accuracy, and propriety of the claims submitted to federal healthcare programs and other third-party commercial payors for our iRhythm Services. We may be held responsible by our regulators or payors for any acts, errors, or omissions by the third-party vendors engaged to perform billing and collections activities on our behalf.

As an IDTF, we submit claims directly to, and receive reimbursement from, federal healthcare programs, including Medicare, as well as other third-party commercial payors for tests ordered by unaffiliated healthcare providers. These programs and payors, including contractors on their behalf, may conduct pre- and post-payment audits and reviews of claims submitted for reimbursement, including audits and reviews focused on the appropriateness of unaffiliated healthcare providers’ decisions to order a particular test furnished by our IDTF, which impact our claims. Further, the federal healthcare programs may impose suspensions on both payment and participation in response to allegations of fraud or other noncompliance.

Other controls imposed by CMS and commercial payors designed to reduce costs, commonly referred to as “utilization review,” may also affect our operations. Federal law contains numerous provisions designed to ensure that services rendered to CMS patients meet professionally recognized standards and are medically necessary, appropriate for the specific patient, and cost-effective. These provisions include a requirement that a quality improvement organization review a sampling of claims for Medicare beneficiaries to assess the quality of care and appropriateness of the services provided. These quality improvement organizations may deny payment for services or assess fines and have the authority to recommend to CMS that a provider in substantial noncompliance with applicable Medicare requirements and quality standards be excluded from participation in the Medicare program. CMS also engages Medicare Administrative Contractors, Comprehensive Error Rate Testing Contractors, Recovery Audit Contractors, and Unified Program Integrity Contractors to conduct a variety of pre- and post-payment reviews of healthcare providers’ claims, and any aberrant practices or findings from such reviews may result in referrals to the Office of Inspector General, Department of Justice (“DOJ”), or other law enforcement agencies for further investigation and follow-up. As a provider enrolled in federal healthcare programs, we expect to be subject to such audits and claims reviews in the future, which may result in suspensions or other restrictions on our ability to submit claims for our services, payment delays, overpayment recoupments, and claims denials, which would negatively impact our business, financial condition, and results of operations, and may jeopardize our participation in these federal healthcare programs.

We have continued to evolve our revenue cycle management function in response to increased audit risk of our billing practices by government and commercial payers who are utilizing AI to review our bills. As part of that evolution, we utilize third-party service providers to support certain activities and these activities involve significant time and resources on our part to train and monitor such third parties.

We have continued to evolve our revenue cycle management function in response to the increased audit risk of our billing practices as a result of enhanced use of AI by government and commercial payers. As part of that evolution, we utilize third-party service providers to support certain activities and these activities involve significant time and resources on our part to train and monitor such third parties. The success of our efforts to evolve our revenue cycle management function depends on the ability of our service providers to deliver timely and accurate services that will continue to support our business as we scale our operations to facilitate growth opportunities, without adversely affecting current revenues and accounts receivable. These difficulties include challenges supporting certain operations and activities with more than one service provider, integrating technologies (including IT systems and processes, procedures, policies and operations), and retaining key personnel.

Although our current iRhythm ACM Systems are comprised of medical devices that have received FDA marketing authorization (510(k) clearance) as well as, with respect to certain devices, regulatory certifications or approvals in the EU, Japan, Switzerland and the UK, we may regularly engage in exploring and implementing product enhancements and in iterative changes to existing products, as well as seek to develop new technology or use of technology for new indications for use. These medical device developments may trigger further regulatory reviews, and the results of those reviews are unpredictable.

Before a new medical device or a new intended use for a medical device can be marketed in the United States, a company must first submit an application and receive either 510(k) clearance, De Novo marketing rights, or premarket approval from FDA, unless an exemption applies. All of these processes can be expensive, lengthy, and unpredictable. Changes in agency personnel and resources can add to the unpredictability of this process. We may not be able to obtain the clearances or approvals we seek or may be unduly delayed in doing so, which could harm our business. Even if we are granted regulatory clearances or approvals, they may include significant limitations on the indicated uses for the product, which may limit the market for the product. Even planned changes and improvements to devices and their uses can trigger the need for a new submission. FDA requirements dictate that we must evaluate potential changes and document our decision-making regarding the need for additional submissions and clearances or approvals. Unless effectively planned for in advance, our desired commercial timeline may be impacted.

Significant changes or modifications in design, components, method of manufacture, or the intended use or technological characteristics of our iRhythm ACM Systems may require new or modified FDA marketing authorization, CE Mark certification in the EU, UKCA Mark certification, Swiss Medical Devices Ordinance (“MedDO”) marketing authorization or Japanese PMDA marketing authorization.

As permitted by applicable law, FDA allows device manufacturers to internally analyze and document a decision that a new clearance or approval is viewed by the manufacturer as unnecessary.

Such internal decisions are, however, subject to review by FDA, and may require additional action in the event FDA questions earlier internal decision-making. In October 2024, following, and in alignment with, discussion with FDA, we received FDA 510(k) clearance for these design updates, as well as additional 510(k) clearance relating to further enhancements to Zio AT.

We may be required to submit a new marketing application or certification, which could require additional testing or other supporting data, a redesign of a product, or otherwise impact the provision of services. In these circumstances, the process may require engagement with regulators to resolve concerns and reach a resolution for a product, and we may be subject to significant enforcement actions.

We may not be able to obtain additional marketing authorizations in a timely fashion, or at all, which could harm our ability to introduce new or enhanced products in a timely manner and to meet market expectations for the provision of the services, which in turn could harm our future growth.

We are subject to extensive compliance requirements for the quality, design, safety, performance, and post-market surveillance of the medical devices we manufacture for use in our iRhythm Services, and for vigilance on complaint-handling, escalation, assessment, and reporting of adverse events and malfunctions. A wide range of quality, risk, regulatory, or safety matters could trigger enforcement action by regulatory authorities, the need for a recall, a hold on the distribution of the marketed product, or other corrective actions to marketed product, and such matters have the potential to escalate to judicial actions that involve the DOJ.

As a manufacturer of medical devices, we are subject to extensive regulation and related compliance requirements. Noncompliance and even allegations of noncompliance with these wide-ranging requirements may subject us to high compliance costs to remediate or defend against allegations of noncompliance, as well as enforcement action from U.S. federal or state regulators and enforcement authorities. Regulators may interpret or apply reportability or field action requirements differently than a company, which can result in enforcement risk. Actions to which a company may be subject could include the issuance of warning letters, adverse publicity, seizures, prohibitions on product sales, recalls, and civil and criminal penalties, any one of which could significantly impact our manufacturing supply and provision of services and impair our financial results. Furthermore, even if we adhere to regulatory standards and expectations in our corrective actions, the public nature of such actions can result in broader negative publicity and perceptions, which could harm our reputation.

Our design and manufacturing facilities and processes and those of certain third-party suppliers are subject to FDA and state, as well as EU, UK, Japanese and Swiss regulatory inspections for compliance with various medical device regulations and standards, including FDA, EU MDR, UK MDR, Japanese QMS and Swiss MedDO requirements. Developing and maintaining a compliant quality system is time consuming and investment intensive. Requirements and standards may change and evolve over time, and we will need to adapt. For example, FDA has issued final regulations on updates to FDA's QSR, now referred to as the Quality Management System Regulation or QMSR, which harmonizes key areas of quality management for device manufacturers in alignment with global regulatory requirements including ISO 13485:2016 and clause 3 of ISO 9000:2015. These regulations took effect on February 2, 2026. While the QMSR is now in effect, the transition presents some uncertainties relative to FDA practices and expectations in upcoming inspections of device quality systems.

They may also be reasonable, necessary, or prudent for a range of other reasons relating to the importance of gathering information in the post marketing setting and managing risk throughout the product lifecycle, or to address requests from regulators to increase or expand the scope of reporting. An increase in the reporting of events associated with the use of our products and services from us or others and any delays to

the filing of reports may increase regulator and public scrutiny, especially given that these reports are typically publicly available information in most jurisdictions, including the United States, which could harm our business.

If we initiate a field action (whether a “correction” made relative to a device that remains in the field, which could be through a labeling or software update, or “removal” or “recall” and return of that device to us, or field advisory notices) to reduce a risk to health posed by our iRhythm ACM System, we would be required to report the Correction or Removal to FDA and, in many cases, similar reports to other regulatory agencies.

Depending on the reason for the correction or removal and the potential severity of the impact to patient safety or the effectiveness of the device, FDA may require differing degrees of communication to alert those who may be in possession of an impacted device. We would generally be subject to similar requirements in jurisdictions outside the United States where the Zio products are used.

Examples of regulatory actions and communications in recent years include:

•Our receipt of Form 483 observations in August 2022 alleging certain quality system deficiencies, including in relation to our corrective and preventive action procedures, test validation, complaint handling and medical device reporting requirements. We submitted a response to FDA with further commitments to improve and remediate our Quality System. These activities, including dialogue with FDA, are ongoing.

•The Customer Advisory Notice we initiated September 28, 2022 to Zio AT customers, and our reports to FDA under 21 C.F.R. Part 806, regarding a Zio AT labeling correction involving additions and modifications to Zio AT labeling precautions relating to the device’s maximum transmission limits during wear, and also to the need for healthcare providers to complete registration to initiate monitoring services. FDA classified this field action as a Class II Recall following our initial 806 report and although we believe we have completed the distribution of the Advisory Notice to our identified impacted customers and requested the closure of this field action in March 2023, the status remains open in the public FDA recall database. and FDA has not yet confirmed the termination or completion of this recall to us.

•Our May 25, 2023 receipt of a warning letter from FDA alleging non-conformities to regulations for medical devices, including medical device reporting requirements, relating to our Zio AT System and medical device quality system requirements. We submitted a timely response to FDA in June 2023 and are continuing to work with the agency to address the issues outlined in the warning letter, including specific dialogue on key topics and our planned path forward. As part of this dialogue we agreed to make two 510(k) submissions relating to Zio AT. On October 21, 2024, we were granted FDA clearance for one 510(k) encompassing design updates that had previously been documented through letters to file. On October 30, 2024 we were granted FDA clearance on a second 510(k) submission related to design modifications and labeling updates for Zio AT.

•Our retrospective submission of certain Medical Device Reports in the fourth quarter of 2023, as part of our commitments following FDA 483 observations and the FDA warning letter issued on May 25, 2023.

•Our receipt of 483 observations following July 2024 FDA inspections of our Cypress and San Francisco FDA-registered facilities centered on complaint handling and medical device reporting, risk analysis regarding the involvement of the technicians to prepare the Zio ECG reports, the corrective and preventive action process, process controls and statistical techniques. We timely submitted our initial responses regarding 483 observations to FDA and have also submitted supplemental information. In these responses, we committed to a number of follow-up actions and we continue to work with FDA to resolve the issues identified.

Executing on our follow-up actions, commitments to FDA, and remediation activities have and continue to require significant time, attention, and resources that might otherwise be applied to future product development activities and initiatives, and could result in delays or changes to these plans. Our commitments will also require a high degree of attention to design strategy and compliance going forward.

In addition, although we continue to fully cooperate and are in dialogue with FDA, there are ongoing enforcement risks, including escalation of further action by FDA, that remain given the inspection and enforcement activities of FDA over the past few years. FDA may determine that our remediation efforts to date or our responses to the 2024 483 observations are insufficient or unsatisfactory. FDA could issue another warning letter, issue a consent decree in collaboration with the DOJ, and/or require recall or cessation of marketing and shipping our Zio device.

We cannot give any assurances that FDA will be satisfied with our response, the actions taken to resolve the concerns raised in the warning letter or the more recent 483 observations, or the expected date for the resolution of such matters by FDA. Until these issues are resolved to FDA’s satisfaction, additional legal or regulatory action may be taken with or without further notice. The warning letter and the 483 observations are

publicly available on FDA’s website and have been the subject of a high degree of media and industry attention, which subjects us to additional scrutiny.

If we are unable to successfully execute and maintain follow-up actions consistent with our commitments to FDA, or if FDA determines that our follow-up commitments are insufficient or were not completed with sufficient promptness, we may face a greater risk of potential escalation, which could involve issuance of additional warning letters, or there is a possibility that FDA could initiate consent decree discussions. This may pose a considerable expense, divert management’s attention, and have a potentially negative impact on the public’s perception of us, all of which could negatively impact our financial position and results of operations.

They are not intended for critical care patients or patients suspected of life-threatening arrhythmias who require inpatient or emergency ECG monitoring. In some cases, it may be medically and logistically challenging to obtain information sufficient to definitively determine all contributing factors to an event. The initial reports of these non-physicians are likely to contain information that requires verification and further investigation.

Given the functionality of our technology and our services, we may become aware of data reflecting a non-survivable, end-of-life cardiac event. We or others (such as healthcare professionals, patients, or family members) may report such events even where it does not appear to us that our device caused or could have prevented an end-of-life event. Given the structure of such reporting to FDA the full medical context is not generally available to the public, which may cause additional scrutiny, questions, or concerns regarding our products and services.

We are subject to FDA requirements to investigate complaints about our iRhythm ACM Systems. If we do not effectively manage and monitor our complaint-handling procedures, we may be subject to regulatory enforcement action, litigation risks, and risk of negative publicity.

As demand for our iRhythm Services increases, we may encounter production or service delays or shortfalls. Such production or service delays or shortfalls may be caused by many factors, including the following:

•while we intend to continue to expand our manufacturing capacity, our production processes may have to change to accommodate this growth, potentially involving significant capital expenditures;

•we may experience technical challenges to increasing manufacturing capacity, including in connection with equipment design, automation, validation and installation, contractor issues and delays, licensing and permitting delays or rejections, materials procurement, manufacturing site expansion, problems with production yields, and quality control and assurance;

•key components of our iRhythm ACM Systems are provided by a sole or single supplier or limited number of suppliers, and we do not maintain large inventory levels of these components; if we experience a shortage or quality issues in any of these components, we would need to identify and qualify new supply sources, which could increase our expenses and result in manufacturing delays;

•the extent to which we become dependent upon others for the manufacture of our iRhythm ACM Systems which could adversely affect our future profit margins and our ability to market our iRhythm Services;

•global demand and supply factors concerning commodity components common to all electronic circuits, including iRhythm ACM Systems, could result in shortages that manifest as extended lead times for circuit boards, which could limit our ability to sustain and/or grow our business;

•we may experience a delay in completing validation and verification testing for new production processes and/or equipment at our manufacturing facilities;

•to increase our manufacturing output significantly and scale our services, we will have to attract and retain qualified employees for our operations; and

•in response to unexpectedly rapid growth of our business, clinical operations capacity may not meet demand while new resources are being recruited and trained, which could negatively impact our volume capacity for our iRhythm Services.

Our reliance on third-party vendors subjects us to a number of risks, including:

•inability to obtain adequate supply in a timely manner or on commercially reasonable terms, including due to our reliance on a single supplier for certain critical components and materials for which, in some cases, there are relatively few alternative sources of supply;

•modifications to, or discontinuation of, a vendor’s operations due to natural disasters, labor disruptions, human error, infrastructure failure, pandemics, military conflicts, or political or economic disruption, which may adversely impact our operations or otherwise lead to interruption of or shortage or delays in supply, including shortages impacting our printed circuit board assembly;

•production delays related to the evaluation and testing of products from alternative suppliers and corresponding regulatory qualifications;

•inability of the manufacturer or supplier to comply with our quality criteria and specifications and, where applicable, the QMSR, state regulatory authorities, and, in some cases, the Notified Body audits;

•miscommunication of design specifications due to errors/omissions by either the vendor or our company, resulting in delayed delivery of acceptable materials or components for incorporation into our devices or recall of finished products;

•delays in device shipments resulting from quality issues or defects, reliability issues, or a supplier’s failure to consistently produce quality components;

•price fluctuations due to a lack of long-term supply arrangements with our suppliers for key components;

•inability to control the quality of products manufactured by third parties;

•delays in delivery by our suppliers due to changes in demand from us or their other customers; and

•delays in obtaining required materials and components that are in short supply within the time frames we require, at an affordable cost, or at all.

Further, we rely on single suppliers for the supply of components related to our adhesive sub-assembly, disposable plastic housings, instruments, and other materials that we use to manufacture and label our Zio patches. We have not qualified additional suppliers for some of these components and materials and we do not carry a significant inventory of these items. While we believe that alternative sources of supply may be available, we cannot be certain whether they will be available if and when we need them and that any alternative suppliers would be able to provide the quantity and quality of components and materials that we would need to manufacture our Zio patches if our existing suppliers were unable to satisfy our supply requirements.

We also rely on certain third-party vendors in connection with the analysis we perform to create diagnostic reports for our iRhythm Services, which is dependent upon a recording made by each iRhythm ACM System. For long-term continuous monitoring utilizing our Zio XT System, for example, requires the physical return of the Zio XT to one of our clinical centers and we predominantly rely on the U.S. Postal Service (“USPS”) to perform this delivery service. Further, for the MCT monitoring services utilizing our Zio AT System, we rely on the provision of cellular communication services for the timely transmission of patient information and reportable events. The reliability of the electronic communication and cloud services required for these operations are subject to natural disasters, labor disruptions, human error, and infrastructure failure. We also expect that our reliance on third-party vendors will increase as our business grows, exposing us to increased harm if such disruptions occur.

We have incorporated and continue to work to further incorporate AI into our products, services, and internal operations. Implementation of AI and machine learning technologies may result in legal and regulatory risks, reputational harm, or other adverse consequences to our business.

Our research and development of such technology remains ongoing. AI innovation presents risks and challenges that could impact our business. As with many innovations, AI presents risks and challenges that could undermine or slow its adoption, and therefore harm our business to the extent we increase our reliance on AI in the future. Moreover, our competitors may introduce AI technologies and features into their products and services that achieve greater market acceptance that ours. AI solutions may be controversial because of their impact or perceived impact on human rights, privacy, employment, or other social, economic, or political issues, or if we are unable to develop effective internal policies and frameworks relating to the responsible development and use of AI models and systems, we may experience brand, reputational, and/or competitive harm, or could face legal liability. In a healthcare context, model drift, explainability limits and reliance on de-identified or synthetic data that may be re-identifiable can exacerbate these risks. If the output that AI algorithms assist in producing are or are alleged to be inaccurate, deficient, or biased, our business, financial condition, and results of operations may be adversely affected. Developing, testing and deploying AI systems may also increase the costs of our product offerings due to the nature of the computing costs involved in such systems, which could impact our revenue and adversely affect our business and operating results.

The regulations may impose onerous obligations and may require us to unexpectedly rework or reevaluate improvements to be compliant. In particular, the AI Act, which was adopted and entered into force in 2024 and is currently being implemented in phases since August 2024, has a material impact on the way AI is regulated in the EU, may affect our use of AI technologies, and may require additional compliance measures and changes to our operations and processes. In the United States, there is ongoing tension between the states and the federal government over how best to regulate the use of AI. It is possible that new laws and regulations will be adopted in the United States and elsewhere, or that existing laws and regulations may be interpreted, in ways that would affect our operations. AI used in or as part of medical devices and other “high-risk” systems will be subject to prescriptive risk management, data governance, transparency, human oversight, and post-market monitoring obligations, which may require product, process, and documentation changes and could delay or limit deployment timelines. Use of AI technologies may expose us to an increased risk of regulatory enforcement and litigation. Additionally, our insurance coverage may not extend to all AI-related risks and may not cover us for all losses for errors or omissions caused by AI. Moreover, some of the AI features involve the processing of personal data and may be subject to laws, policies, legal obligations, and codes of conduct related to privacy and data protection. AI development and deployment practices could subject us to competitive harm, regulatory enforcement, increased cyber risks, reputational harm, and legal liability.

Our ability to compete depends on our ability to innovate successfully.

The market for medical devices, including the remote cardiac monitoring segment, is competitive, dynamic, and marked by rapid and substantial technological development and product innovation. While there are barriers that would challenge new entrants or existing competitors from developing products that compete directly with the devices used in our iRhythm Services, these barriers can be overcome. If we are unable to innovate successfully, our services and related devices could become obsolete and our revenue would decline as our customers prescribe or purchase our competitors’ services.

In order to remain competitive, we must continue to develop new product offerings and enhancements to our iRhythm Services. In addition, if we develop new services, sales of those services may reduce revenue generated from our existing services. Maintaining adequate research and development personnel and resources to meet the demands of the market is essential. If we are unable to develop new services and related devices, applications, or features, or improve our algorithms due to constraints, such as insufficient cash resources, high employee turnover, inability to hire personnel with sufficient technical skills, inability or delay to obtain FDA marketing authorization or regulatory clearances in the EU and the UK, or a lack of other research and development resources, we may not be able to maintain our competitive position compared to other companies. Furthermore, many of our competitors devote a considerably greater amount of funds to their research and development programs than we do, and those that do not may be acquired by larger companies that would allocate greater resources to research and development programs. Our failure or inability to devote adequate research and development resources or compete effectively with the research and development programs of our competitors could harm our business.

We have entered into in the past, and may explore or enter into in the future, development or collaboration agreements with third parties. These development and collaboration agreements may not result in the development of commercially viable devices or the generation of significant future revenues.

We have entered into a development and collaboration agreement in the past to develop certain next-generation Afib screening, detection, or monitoring devices to enhance our iRhythm Services, which could involve combining our technology platforms and capabilities with those of a third party, and we intend to enter into similar development and collaboration agreements with third parties in the future. Support of these efforts requires significant resources, including research and development, manufacturing, quality assurance, and clinical and regulatory personnel. Product testing, market research, and related activities may result in a delay to any device launch and additional expense associated with any commercialization efforts. Even if and when launched, the developed devices may also not be accepted in the marketplace, and there is no assurance that adequate coverage or reimbursement would be available, or that an alternative payment model can be developed.

We intend to continue to invest in research and development efforts to further differentiate our biosensor, data analytics and reporting, information system, and digital platform and we may explore or enter into development or collaboration agreements with third parties to further these efforts. We cannot predict whether such efforts will be viable from a regulatory and commercial standpoint, and development or collaboration agreements may not result in the development of commercially viable products or services or the generation of significant future revenues. For example, enforcement action such as that conveyed through the FDA warning letter we received in 2023, as well as other digital health industry regulatory developments, may also impact the availability or viability of potential opportunities.

International expansion of our business exposes us to market, regulatory, political, operational, financial, and economic risks associated with doing business outside of the United States.

While we currently derive substantially all of our revenue and maintain substantially all of our assets in the United States, we intend to continue to pursue growth opportunities outside of the United States, especially in the Philippines, the EU, the UK, Switzerland and Japan, and we may increase our use of administrative and support functions from locations outside the United States, which could expose us to risks associated with international sales and operations. Additionally, our international expansion efforts may not be successful, we may experience difficulties in scaling these functions from locations outside the United States, and we may not experience the expected cost efficiencies.

Our international operations are, and will continue to be, subject to a number of risks, including:

•multiple, conflicting, and changing laws and regulations such as tax laws, privacy laws, export and import restrictions, employment laws, regulatory requirements, and other governmental approvals, permits, and licenses;

•obtaining and sustaining regulatory approvals, certifications, and regulatory compliance where required for the sale of our iRhythm Services in various countries or regions;

•requirements to maintain and secure data and the processing of that data on servers located within such countries or regions, which requirements may be subject to change;

•complexities associated with managing multiple payor reimbursement regimes, government payors, or patient self-pay systems, as well as with participating in public tenders or procurement processes run by national healthcare systems;

•logistics and regulations associated with shipping and returning our Zio patches following patient use;

•limits on our ability to penetrate international markets if we are required to process our iRhythm Services locally;

•financial risks, such as longer payment cycles, difficulty collecting accounts receivable, the effect of local and regional financial pressures on demand and payment for our services, fluctuations in trade policy and tariff regulations, changes in international tax regulations applicable to our business, and exposure to foreign currency exchange rate fluctuations, which may reduce the reported value of our foreign currency denominated revenues, expenses, and cash flows;

•decreased emphasis or enforcement of intellectual property protections in some countries outside the United States in comparison to that in the United States;

•increased risk of litigation or administrative proceedings in connection with our relationships with international business partners, including litigation against persons whom we believe have infringed on our intellectual property, infringement litigation filed against us, litigation against a competitor, or litigation filed against us by distributors or service providers resulting from a breach of contract or other claim, as well as disputes regarding government and public tenders, any of which may result in substantial costs to us, adverse judgments, settlements, and diversion of our management’s attention;

•increased risk of litigation or administrative proceedings in connection with product liability claims, driven in part by a growing third-party litigation funding market in the EU as well as legal and regulatory reform across product safety and product liability such as the EU Product Liability Directive (recently updated by Directive (EU) 2024/2853 to cover digital products like AI software), which makes it easier for individuals to claim compensation for harm caused by unsafe goods on the EU market, and further implementation of the collective redress regime which may lead to group claims in respect of medical devices;

•natural disasters, political and economic instability, including wars and other geopolitical conflicts, terrorism, political unrest, outbreak of disease, boycotts, curtailment of trade, and other market restrictions;

•risks associated with any shifts in economic relations between the UK and the EU, which could result in tariffs or quotas on imported goods or services moving between the UK and the EU;

•regulatory and compliance risks that relate to maintaining accurate information and control over activities subject to regulation under the FCPA, UK Bribery Act of 2010, and comparable laws and regulations in other countries;

•compliance risks under the EU and UK General Data Protection Regulation (collectively, the “GDPR”), including restrictions on the cross-border transfers of personal data, as applicable;

•compliance risks associated with the revised regulations in the EU MDR that outline the requirements for medical device CE marking;

•compliance risks associated with the UK MDR, which replaces the CE marking requirements for medical devices marketed and sold in the UK with a UKCA mark following the UK’s withdrawal from the EU, and the UK government’s announcement to amend the UK MDR, in particular to create a new access pathway to support innovation and create an innovative framework for regulating software and AI as medical devices;

•compliance risks associated with the Japanese PMDA;

•compliance risks associated with the Swiss MedDO;

•compliance risks associated with new or upcoming regulations associated with AI applicable to Software as a Medical Device, including compliance with the EU AI Act; and

•compliance risks associated with existing, new or upcoming requirements and expectations associated with medical device cybersecurity.

Any of these factors may require significant resources to address and could significantly harm our future international expansion and operations and, consequently, our revenue and results of operations.

Our success depends on our ability to attract and retain senior management and key personnel.

Our success depends on our ability to retain our senior management and to attract and retain qualified personnel in the future. Competition for senior management personnel, as well as salespersons, scientists, clinicians, and engineers, is intense and we may not be able to retain our personnel. The loss of key personnel, including key members of our senior management team or members of our board of directors, as well as certain of our key finance, legal, regulatory, research and development, quality, and clinical personnel, could disrupt our operations and have a material and adverse effect on our ability to grow our business. Each of our officers may terminate their employment at any time without notice and without cause or good reason. The loss of a member of our senior management team or our professional staff would require the remaining executive officers to divert immediate and substantial attention to seeking a replacement. We have experienced significant changes in our executive leadership in recent years and we may experience further changes in executive leadership in the future.

Changes to strategic or operating goals, which can often times occur with the appointment of new executives, can create uncertainty, may negatively impact our ability to execute quickly and effectively, and may ultimately be unsuccessful. If we do not integrate new executives successfully, we may be unable to manage and grow our business, and our financial condition and profitability may suffer as a result. In addition, to the extent we experience additional management turnover, competition for top management is high and it may take months to find a candidate that meets our requirements. If we are unable to attract and retain qualified management personnel, our business could suffer.

Further, we may undertake reorganizations of our workforce from time to time, which may result in a temporary reduction in the number of employees in certain locations. We would undertake a reorganization to reduce operating expenses or achieve other business objectives, though we cannot guarantee any specific amount of long-term cost savings. Further, the turnover in our employee base could result in operational and administrative inefficiencies, which could adversely impact the results of our operations, stock price, and customer relationships, could complicate our efforts to retain other valuable employees, and could make recruiting for future management and other positions more difficult.

We have experienced rapid growth in our headcount and in our operations. Any growth that we experience in the future will provide challenges to our organization, requiring us to expand our sales personnel, manufacturing, clinical, customer care, and billing operations and general and administrative infrastructure. In addition to the need to scale our operational and service capacity, future growth will impose significant added responsibilities on management, including the need to identify, recruit, train, and integrate additional employees. Additionally, rapid expansion could require us to rely on overtime to increase capacity that could, in turn, result in greater employee attrition and/or a loss in productivity during the process of recruiting and training additional resources and add to our operating expenses. Further, a move toward automation to address, for example, staffing or scalability needs, could result in unintended consequences, such as increased scrap rate negatively impacting profitability.

As we seek to gain greater efficiency, we may look for ways to expand the automated portion of our iRhythm Services and require productivity improvements from our qualified cardiac technicians, within the framework of our wide-ranging regulatory obligations. Such improvements could impact the content of our Zio reports. In addition, rapid and significant growth may strain our administrative and operational infrastructure. Our ability to manage our business and growth will require us to continue to improve our operational, financial, and management controls, reporting systems, and procedures. If we are unable to manage our growth effectively, it may be difficult for us to execute our business strategy and our business could be harmed.

We have also seen hybrid situations where accounts, in response to staffing shortages, provide in-clinic Zio device packages to patients for application at home. Although in all three scenarios there is the potential that a patient will not return the device(s) at the conclusion of the wear period, home hookups historically result in a higher likelihood that the patient will fail to return his or her device, which negatively impacts our financial condition when we are unable to provide the iRhythm Services. If a patient fails to return a device, we experience financial losses, which include the cost of the device as well as the loss of potential revenue for the service that is contingent on the returned device for the submission of the associated claim.

In January 2022, the U.S. Preventive Services Task Force (“USPSTF”) published a recommendation statement on the screening criteria for Afib screening, stating that current evidence is insufficient to assess the balance of benefits and harm of Afib screening, and thus found that it could neither recommend for or against screening of adults 50 years or older without a diagnosis or symptoms of Afib and without a history of transient ischemic attack or stroke. In its recommendation, the USPSTF also identified research needs and gaps, including for example assurance that future research involves randomized trials of diverse patient populations and conducting research to optimize the accuracy of screening for Afib. We cannot predict whether or when the USPSTF’s recommendation on Afib screening will change or be modified based on findings from additional randomized trials, other research, or through the continued use of our products and services or other similarly situated products and services designed for remote cardiac monitoring.

If we are presented with appropriate opportunities, we could acquire or make other investments in complementary companies, products, or technologies. We may not realize the anticipated benefit of our acquisitions, or the realization of the anticipated benefits may require greater expenditures than anticipated by us. For example, the License Agreement that we entered into with BioIS may not result in the development of commercially viable products or services or the generation of significant future revenues. The success of our efforts is highly dependent on the efforts and skill sets of our employees, and support of these efforts requires significant resources, including research and development, manufacturing, quality assurance, and clinical and regulatory personnel. Even if and when launched, the developed devices may also not be accepted in the marketplace, and there is no assurance that adequate coverage or reimbursement would be available, or that an alternative payment model can be developed.

In addition, we will likely face risks, uncertainties, and disruptions associated with the integration process, including difficulties in the integration of the operations and services of any acquired company, integration of acquired technology with our iRhythm Services, including our iRhythm ACM Systems, diversion of our management’s attention from other business concerns, the potential loss of key employees or suppliers of the acquired businesses, and impairment charges if future acquisitions are not as successful as we originally anticipated. We may also face challenges integrating cybersecurity and data protection controls, heightened external scrutiny on acquired IP rights, regulatory exclusivity periods, and confidentiality agreements, and successor liability imposed by regulators for actions by a target prior to acquisition. If we fail to successfully integrate other companies, products, or technologies that we acquire, our business could be harmed. Furthermore, we may have to incur debt or issue equity or equity-linked securities to pay for any future acquisitions or investments, the issuance of which could be dilutive to our existing stockholders. In addition, our operating results may suffer because of acquisition-related costs, amortization expenses, investment required to address risks associated with the acquisition, or charges relating to acquired intangible assets.

We also regularly evaluate a variety of other potential strategic transactions, including equity and other investments and strategic alliances. Equity and other investments and strategic alliances pose additional risks, as we could share ownership and, in some cases, management responsibilities with one or more other parties whose objectives may diverge from ours over time; who may not have the same priorities, strategies, or resources as we do; or whose interpretation of applicable policies may differ from our own.

The success of our collaboration with BioIS and the extent to which we realize a return on investment in the technology licensed from BioIS is dependent on our achievement of certain regulatory milestones. If those milestones are not met, or if any resulting products do not gain acceptance in the marketplace, our business and operating results may be negatively impacted.

Our License Agreement with BioIS grants us an exclusive license to develop and commercialize pulse oximetry, accelerometry, and trending non-invasive blood pressure technologies for use within our remote cardiac monitoring products and services. It is anticipated that BioIS’s multiparameter sensing technologies will position us to expand the capabilities of our product platform within the remote cardiac monitoring field of use and potentially into adjacent indications such as OSA over time. This will require that any new products developed undergo validation and achieve certain regulatory milestones. Should we fail to meet those milestones, or if there are material delays in doing so, this could impede our ability to commercialize any new products or solutions utilizing the technologies covered by the License Agreement and realize our return on investment.

We are currently exploring opportunities to expand into the market of sleep apnea screening and diagnostics, which carries unique regulatory requirements and represents an ongoing area of focus for government enforcement. Commercialization of new products and services in the sleep testing space will require a significant investment of time and resources. If we are unable to successfully execute on these opportunities, it could have an adverse affect on our reputation, business, and results of operations.

We continue to devote time and resources into exploring the sleep apnea screening and diagnostics market. We do not anticipate meaningful revenue from any such opportunities to expand into the sleep apnea screening and diagnostics market for the foreseeable future. If we fail to capitalize on these opportunities, we may face threats from our competitors should they be able to commercialize products and services in the home sleep testing (“HST”) space on a more expeditious timeline. Additionally, any new HST product or service offering will be subject to specific requirements to qualify for reimbursement under Medicare and Medicaid and by third-party commercial payors. Improper billing activities related to HST product or service offerings have been an area of significant government scrutiny in recent years. Failure to comply with the myriad, complex legal and regulatory requirements surrounding the provision of sleep apnea diagnostics could subject us to substantial civil or criminal penalties, exclusion from participation in the Medicare program, reputational harm, and other adverse consequences to our business and results of operations.

Risks Related to Healthcare Regulatory Matters

Our use of third-party service providers or company resources located outside the United States to support certain customer care, clinical, and other operations of our IDTFs may present challenges, and if we are ineffective in limiting work performed by these service providers or company resources consistent with applicable regulations or our contractual agreements with commercial payors, we may be subject to penalties or experience loss of revenue.

Beginning in the third quarter of 2022, we engaged third-party service providers to support certain customer care and clinical operations of our IDTFs. We have developed operational and technical controls to limit the work performed by these vendors consistent with our interpretation of the Medicare coverage exclusion of services furnished outside the United States, other applicable laws and regulations, and any requirements imposed pursuant to our contracts with commercial payors. If these controls do not work as intended, or if regulators or commercial payors disagree with our interpretation of these requirements and their application to our operations, we may be subject to a requirement to return funds already paid to us, civil monetary penalties, other government enforcement, as highlighted by a 2022 settlement of an enforcement action brought against our competitor, BioTelemetry, Inc., with respect to the support of certain clinical operations by vendors performing work outside the United States, and termination of contracts with commercial payors, as well as the loss of revenue associated with those contracts.

In addition, we are currently engaging with other third-party service providers that have resources located outside the United States, and we have established company resources in the Philippines to provide services in support of our IDTFs. These services include benefits verification, billing, collections, and customer service, which require complex oversight and monitoring for appropriate capture and escalation of complaint information that may be relevant to the quality, performance, and safety of our medical devices or the quality of our clinical services. If we are unable to effectively manage this oversight and monitoring, we may be subject to regulatory enforcement action or inquiries which may be expensive and time consuming to resolve. In addition, certain contracts with commercial payors include restrictions related to accessing patient data outside the United States and we have implemented reasonable controls intended to prohibit unauthorized use of patient data by service providers and company resources located outside the United States for these commercial payors, as appropriate. If these controls do not work as intended, or if the payor information we receive from ordering healthcare providers is delayed or inaccurate, we may encounter the suspension or termination of contracts with commercial payors, as well as any contractual remedies such payors might pursue. The suspension or loss of any of our key commercial payor agreements would have an adverse impact on our revenue and our results of operations.

If we fail to comply with medical device, healthcare, and other governmental regulations, we could face substantial penalties and our business, results of operations, and financial condition could be adversely affected.

The services and related devices we offer are highly regulated, and the regulatory environment in which we operate may change significantly and adversely in the future. Our arrangements with physicians, hospitals, clinics, and other stakeholders in the healthcare industry may expose us to broadly applicable medical device laws and healthcare fraud and abuse and other laws and regulations that may restrict the financial arrangements and relationships through which we market, sell, distribute, and provide our services and related devices. Our employees, consultants, and commercial partners and collaborators may engage in misconduct or other improper activities, including non-compliance with regulatory standards and requirements. Federal, state and international healthcare laws and regulations that may affect our ability to conduct business, include, without limitation:

•state licensure laws applicable to the manufacture, marketing, distribution, and sale of medical devices;

•federal and state laws and regulations regarding billing, claims payment, and enrollment for participation in government healthcare programs, including regulations requiring the timely identification and refunding of overpayments to Medicare and other federally funded healthcare programs;

•the federal AKS, which prohibits, among other things, any person from knowingly and willfully offering, soliciting, receiving, or providing remuneration, directly or indirectly, in exchange for or to induce either the referral of an individual for, or the purchase, order or recommendation of, any good or service for which payment may be made under federal healthcare programs, such as the Medicare and Medicaid programs;

•the federal FCA, which prohibits, among other things, individuals or entities from knowingly presenting, or causing to be presented, false claims, or knowingly using false statements, to obtain payment from the federal government;

•federal criminal laws that prohibit executing a scheme to defraud any healthcare benefit program or making false statements relating to healthcare matters;

•the FCPA, the UK Bribery Act of 2010, and other local anti-corruption, anti-kickback, and transparency laws that apply to our international activities;

•the federal Physician Payment Sunshine Act, or Open Payments, and its implementing regulations, which requires us to report payments or other transfers of value made to licensed physicians and certain mid-level health practitioners and teaching hospitals, as well as ownership and investment interests held by physicians and their immediate family members;

•Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, and its implementing regulations, which impose certain requirements for privacy, security, and electronic transmission of individually identifiable health information and establish criminal liability for knowingly making false statements or concealing material facts in connection with the delivery of or payment for healthcare benefits, items, or services;

•the GDPR, which provides legal requirements for the handling and disclosure (including across borders) of personal data collected in the EU and the UK;

•FDA’s Code of Federal Regulations, including but not limited to, 21 CFR Parts 820, 803, 806, and 801, that outlines requirements for medical device design, testing, marketing authorization, manufacturing, labeling, distribution, and post-market surveillance requirements;

•the EU MDR that outline requirements for medical device CE marking;

•the UK MDR, which, post the UK’s withdrawal from the EU, replaces the CE marking requirement for medical devices sold in the UK with a UKCA mark;

•the Swiss MedDO, which governs the approval and importation requirements of medical devices into Switzerland;

•the Japanese PMDA, which outlines comprehensive standards for the design, evaluation, marketing approval, production, labeling, distribution, and ongoing monitoring of medical devices in Japan; and

•state law equivalents of each of the above U.S. federal laws, such as anti-kickback and false claims laws which may apply to items or services reimbursed by any third-party payor, including commercial insurers, and state and foreign laws governing the privacy and security of individually identifiable information in certain circumstances (e.g.

These laws are broad in scope and available exceptions and exemptions are narrow; it is possible that some of our activities could be subject to challenge under one or more of such laws. Any action brought against us for violations of these laws or regulations, even if successfully defended, could cause us to incur significant legal expenses and divert our management’s attention from the operation of our business. If the government decides to intervene and prevails in the lawsuit, the individual will share in the proceeds from any fines or settlement funds. If the government declines to intervene, the individual may pursue the case alone. In 2025, whistleblowers filed 1,297 qui tam lawsuits under the FCA—the highest number in a single year—and whistleblowers are becoming increasingly willing to pursue cases on their own following a declination by the government. For violations assessed after July 3, 2025, the minimum FCA penalty increased from $13,946 to $14,308 per claim and the maximum penalty increased from $27,894 to $28,619 per claim. In addition, FCA lawsuits may expose defendants to follow-on claims by private payers based on fraudulent marketing practices. Recent growth in FCA litigation has increased the risk that companies will have to defend a false claim action, and pay settlements, fines or restitution, as well as criminal and civil penalties, agree to comply with burdensome reporting and compliance obligations, and/or be excluded from Medicare or other federal and state healthcare programs. For example, our industry has experienced recent FCA enforcement, including a December 2023 settlement by BioTelemetry, Inc. and its subsidiary LifeWatch Services Inc. involving allegations that these companies submitted claims to federal programs for a higher level of remote cardiac monitoring than physicians had intended to order or that was medically necessary, thus inflating the level of reimbursement paid, which highlights the importance of compliance with the rules and regulations governing claims submitted to federal healthcare programs.

Although we have adopted policies and procedures designed to comply with these laws and regulations and conduct internal reviews of our compliance with these laws, our compliance is also subject to governmental review. The growth of our business and sales organization and our expansion outside of the United States may increase the potential of violating these laws or our internal policies and procedures. The risk of our being found in violation of these or other laws and regulations is further increased by the fact that many have not been fully interpreted by the regulatory authorities or the courts, and their provisions are open to a variety of interpretations. Any action brought against us for violation of these or other laws or regulations, even if we successfully defend against it, could cause us to incur significant legal expenses and divert our management’s attention from the operation of our business. If our operations are found to be in violation of any of the federal, state, or foreign laws described above or any other current or future fraud and abuse or other healthcare laws and regulations that apply to us, we may be subject to penalties, including significant criminal, civil, and administrative penalties, damages, fines, imprisonment for individuals, exclusion from participation in government programs, such as Medicare, and we could be required to curtail or cease our operations. Any of the foregoing consequences could seriously harm our business and our financial results.

Further, in 2024 the U.S. Supreme Court reversed its longstanding approach under the Chevron doctrine, which provided for judicial deference to regulatory agencies, including FDA. As a result of this decision, we cannot be sure whether there will be increased challenges to existing agency regulations or how lower courts will apply the decision in the context of other regulatory schemes without more specific guidance from the U.S. Supreme Court. For example, this decision may result in more companies bringing lawsuits against FDA to challenge longstanding decisions and policies of FDA, which could undermine FDA’s authority, lead to uncertainties in the industry, and disrupt FDA’s normal operations, which could impact the timely review of any regulatory filings or applications we submit to FDA.

Healthcare laws and regulations, and interpretations of the same, change frequently and may change significantly in the future. We may not be able to adapt our operations to address every new regulation or interpretation, and new regulations or interpretations may adversely affect our business. For example, FDA has taken novel steps in recent years to regulate MCT devices—including Zio AT—through administrative actions including development of Product Code QYX and assignment of that Product Code to certain devices already on the market, and also to applicants seeking 510(k) clearance for devices used in MCT monitoring services. FDA’s inclusion in the Product Code’s “Definition” of “Outpatient Cardiac Telemetry” devices certain activities in the purview of IDTFs and other monitoring locations presents the potential for these activities to be viewed as a component of the device subject to direct FDA oversight. It remains unclear how FDA will continue to interpret and enforce the device requirements for devices that FDA assigns to Product Code QYX.

There also remains general uncertainty regarding future government activities, including enforcement policies. For example, DOJ disbanded the CBP, which was responsible for enforcement of the FD&C Act. Following dissolution of the CPB, on September 25, 2025, DOJ announced a restructuring under which the Civil Division’s litigation work would be consolidated into a new Enforcement & Affirmative Litigation Branch, and the Health and Safety Unit housed within the Fraud Section of DOJ’s Criminal Division is now charged with criminal enforcement of the FD&C Act. Alternatively, state governments may attempt to address perceived gaps in regulation or react to changes at the federal level with changes to their own regulatory frameworks in a manner that is adverse to our operations. We also cannot assure that a review of our business by courts or regulatory authorities would not result in a determination that adversely affects our revenue and operating results.

Our business could be negatively impacted by changes in the United States political environment.

Any policy changes as a result of the current presidential administration and Congress could significantly affect our business as well as the markets in which we operate. Specific legislative and regulatory proposals discussed during election campaigns and since inauguration that might materially impact our business include, but are not limited to, promoting access to healthcare via market competition and pricing transparency, enhancing flexibility and choice in healthcare at the state and individual level, prioritizing domestic production and increasing tariffs on imports (which may complicate and increase costs associated with our supply chain and our international

expansion), and rolling back regulatory initiatives adopted under the previous administration. We cannot predict whether industry initiatives to seek tariff carve-outs for devices or other life sciences goods and products will be successful.

Some of these legislative and regulatory proposals have manifested to date in the form of specific tariff proposals, and actions to reduce the size of the federal government, including large-scale reductions in force at FDA. The loss of key personnel at FDA, including those in leadership positions, is likely to impact the operations at FDA, which could result in, among other things, delays or limitations on our ability to obtain guidance from FDA on our products, longer review times, and delays in obtaining regulatory approvals. The escalating global economic competition and trade tensions among the U.S. and its trading partners could have an adverse effect on our business, results of operations, financial condition and cash flows, and there is risk of additional tariffs and other kinds of restrictions. The current administration also has issued, and is expected to continue relying upon, executive orders to address a wide range of policy areas, some of which may impact our business. Examples of executive orders that have already been issued on public health and healthcare topics include orders seeking to promote healthcare price transparency, deliver most-favored-nation pricing for prescription drugs to patients and facilitate direct-to-consumer drug sales, promote domestic production of pharmaceutical products, and expand access to in vitro fertilization. Such political developments may require us to allocate significant time, resources, and expense to modifying our policies and procedures, processes, systems, and practices to ensure compliance or adapt to the new regulatory climate, particularly to the extent such actions are subject to protracted and uncertain legal challenges. To the extent changes in the political environment have a negative impact on us or on our markets, our business, results of operation, and financial condition could be materially and adversely affected in the future.

These relationships, interactions, and arrangements are subject to a high degree of scrutiny by government regulators and enforcement bodies.

However, as we work to establish and maintain these relationships, we face significant scrutiny of these relationships, interactions, and arrangements by government regulators and enforcement agencies.

Our communications with healthcare stakeholders – physicians and other healthcare professionals, payors, and similar entities, as well as patients and lay caregivers – are subject to a high degree of scrutiny for compliance with a wide range of laws and regulations. Continuing or increasing our sales and marketing and other external communication efforts may expose us to additional risk of being alleged or deemed to be non-compliant by regulators, enforcement authorities, or competitors.

In addition, FDA applies a heightened level of scrutiny to comparative claims when applying its statutory standards for advertising and promotion, including with regard to its requirement that promotional labeling be truthful and not misleading. FDA will evaluate communications, in context, on a fact-specific basis. This is a continued area of focus for regulators. The FTC has also released updated guidance on health claims, with a high expectation for clinical data to support these claims.

In addition, making comparative claims may draw scrutiny from our competitors. Where a company makes a claim in advertising or promotion that its product is superior to the product of a competitor (or that the competitor’s product is inferior), this creates a risk of a lawsuit by the competitor under federal and state false advertising or unfair and deceptive trade practices law, and possibly also state libel law. Such a suit may seek injunctive relief against further advertising, a court order directing corrective advertising, and compensatory and punitive damages where permitted by law. If our compliance program and training and monitoring do not effectively keep pace with our sales and marketing growth, we may encounter increased risk in execution of activities by our personnel, potential enforcement and other exposure.

For example, certain of our physicians may order the iRhythm Services for patients who are under 18, which is outside the cleared indications for use. While we do not intend for any personnel to promote our devices for pediatric use and we have policies addressing appropriate responses to unsolicited requests for information about pediatric use, our approach may be subject to ongoing scrutiny from FDA.

If FDA or other federal, state, or foreign enforcement authorities determine that our labeling, advertising, promotional materials, or user training materials, or representations made by our personnel include the promotion of an off-label use for the device, or that we have made false or misleading or inadequately substantiated promotional claims, or claims that could potentially change the regulatory status of the product, FDA or other authorities could take the position that these materials have misbranded our devices and request that we modify our labeling, advertising, or user training or promotional materials and/or subject us to regulatory or legal enforcement actions, including the issuance of an Untitled Letter or a Warning Letter, injunction, seizure, recall, adverse publicity, civil penalties, criminal penalties, including substantial fines, or other adverse actions. In that event, we would be subject to extensive fines and penalties and our reputation could be damaged and adoption of the products would be impaired. Although we intend to refrain from statements that could be considered off-label promotion of our products, FDA or another regulatory agency could disagree and conclude that we have engaged in off-label promotion.

Changes in laws and regulations governing our communications with patients or the interpretation or enforcement policies of regulators could subject us to regulatory scrutiny, damage awards, or fines.

As a Medicare-enrolled IDTF, we are prohibited from directly soliciting patients for diagnostic medical procedures. While we can engage in general marketing initiatives, consistent with applicable law, we cannot make telephone, computer, and in-person contacts for the purpose of soliciting business for our IDTF.

In the wake of a 2021 decision by the U.S. Supreme Court that limited the applicability of the TCPA, several states have enacted or introduced legislation that would regulate text messages and certain telephone calls to individuals and, in some instances, impose stricter requirements than federal law. Certain non‑marketing healthcare messages may qualify for limited TCPA exemptions if specific conditions are met (e.g., content limits, frequency caps, opt‑out, and no charge to the recipient). We may be subject to lawsuits (including class-action lawsuits) containing allegations that our business violated the TCPA or other communications laws. These lawsuits may seek damages (including statutory damages) and injunctive relief, among other remedies. We also may face enforcement by the Federal Communications Commission (including under the Telemarketing Sales Rule and Do‑Not‑Call provisions) and state attorneys general. A determination that there have been violations of the TCPA or other statutes regulating communications with patients could expose us to significant damage awards that could, individually or in the aggregate, materially harm our business.

While most of our revenue results from claims submitted to payors for diagnostic medical procedures, we offer, and are looking to expand, alternative payment and service delivery models. Piloting, evaluating, and implementing these alternative payment and service delivery models requires interactions with commercial payors, physicians, and patients; these interactions are subject to laws and regulations aimed at preventing healthcare fraud and abuse. If these models are unsuccessful, or if we are unable to fully comply with such laws as we pursue these strategies, our commercial success could be compromised and we could face substantial penalties.

For some of our services, we directly bill physicians or other healthcare entities, that, in turn, bill payors, and the amounts we bill may include a risk-based pricing component. If our past, present, or future operations are found to be in violation of fraud and abuse laws, we or our officers may be subject to civil or criminal penalties, including large monetary penalties, damages, fines, imprisonment, and exclusion from Medicare program participation. Furthermore, if we knowingly file, or “cause” the filing of, false claims for reimbursement with government programs such as Medicare, we may be subject to substantial civil penalties, including treble damages.

Risks Related to Financial and Accounting Matters

Our failure to maintain an effective system of internal controls, which may result in material misstatements of our consolidated financial statements or cause us to fail to meet our periodic reporting obligations.

As a public company, we are subject to certain reporting requirements, including those under the Sarbanes-Oxley Act, which requires, among other things, that we maintain effective internal control over financial reporting and disclosure controls and procedures. In order to maintain and improve the effectiveness of our internal controls and disclosure controls and procedures, we have expended, and anticipate that we will continue to expend, significant resources, including accounting related costs and significant management oversight.

Maintaining effective internal control and disclosure controls and procedures requires ongoing attention and resources. We continue to seek improvements to enhance our control environment and to strengthen our internal controls to provide reasonable assurance that our financial statements continue to be fairly stated in all material respects.

Our internal control over financial reporting will not prevent or detect all errors and all fraud. A control system, no matter how well designed and operated, can provide only reasonable, not absolute, assurance that the control system’s objectives will be met. Because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that misstatements due to error or fraud will not occur or that all control issues and instances of fraud will be detected.

Failure to remedy any material weakness in our internal control over financial reporting, or to implement or maintain other effective control systems required of public companies, could also restrict our future access to the capital markets.

Our financial results may fluctuate significantly from quarter-to-quarter and may not fully reflect the underlying performance of our business.

Our revenue and operating results may fluctuate significantly from quarter to quarter as a result of a variety of factors, a number of which are outside our control, and may therefore not fully reflect the underlying performance of our business. Such factors may include, for example, seasonal variations in prescription rates. We typically experience reduced revenue during the third quarter, as well as during the year-end holiday season. We believe this

is the result of physicians and patients taking vacations, and patients electing to delay our monitoring services during the summer months and holidays. We believe that period-to-period comparisons of our operating results may not be meaningful and should not be relied on as an indication of our future performance. If quarterly revenues or operating results fall below the expectations of investors or public market analysts, the trading price of our common stock could decline substantially. Factors that might cause quarterly fluctuations in our operating results include:

•our inability to manufacture an adequate supply of our iRhythm ACM Systems to support demand for our iRhythm Services at appropriate quality levels and acceptable costs;

•possible delays in our research and development programs or in the completion of any third-party clinical trials relating to our iRhythm Services;

•a lack of acceptance of our iRhythm Services, including our iRhythm ACM Systems, by physicians and potential patients;

•the inability of patients to receive reimbursements from third-party payors;

•the purchasing patterns of physicians and patients, including as a result of seasonality;

•failures to comply with regulatory requirements, which could lead to withdrawal of our iRhythm Services, including our iRhythm ACM Systems, from the market;

•our failure to continue the commercialization of our iRhythm Services;

•competition;

•inadequate financial and other resources; and

•global business, political, and economic conditions, including inflation, interest rate volatility, cybersecurity events, uncertainty with respect to the federal debt ceiling and budget and potential government shutdowns related thereto, potential instability in the global banking system, political instability, and military hostilities, including ongoing geopolitical conflicts, such as the war in Ukraine and conflicts in the Middle East and Venezuela.

Further, we recognize a portion of our revenue from non-contracted third-party commercial payors. For example, during the year ended December 31, 2025, revenue from non-contracted third-party commercial payors accounted for approximately 7% of our total revenue. Additionally, a portion of the revenue from non-contracted payors is received from patient co-pays, which we may not receive for several months following delivery of service or may not receive at all. For revenue related to non-contracted payors, we estimate an average collection rate based on factors including historical cash collections. Subsequent adjustments, if applicable, are recorded as an adjustment to revenue. Fluctuations in revenue may make it difficult for us, research analysts, and investors to accurately forecast our revenue and operating results or to assess our actual performance. If our revenue or operating results fall below expectations, the price of our common stock would likely decline.

We have a history of operating losses and may not achieve or sustain profitability in the future.

We have incurred net losses since our inception in September 2006. We generated net losses of $44.6 million and $113.3 million during the years ended December 31, 2025 and 2024, respectively. As of December 31, 2025, we had an accumulated deficit of $803.4 million. We have and expect to continue to incur significant research and development, sales and marketing, regulatory, and other expenses as we expand our marketing efforts to increase the prescription of our iRhythm Services, expand existing relationships with physicians, obtain regulatory clearances or approvals for our current or future services and related devices, conduct clinical trials on our existing and future services, and develop new services or add new features to our existing iRhythm Services. We also expect that our general and administrative expenses will continue to increase due to, among other things, the operational and regulatory burdens applicable to medical service providers that are public companies. These losses, among other things, may have an adverse effect on our stockholders’ equity and the value of our common stock.

We may require additional capital to support the growth of our business, and this capital might not be available on acceptable terms, if at all.

Our operations have consumed substantial amounts of cash since inception. We intend to continue to make investments to support our business, which may require us to engage in equity or debt financings to secure additional funds. Additional financing may not be available on a timely basis on terms acceptable to us, or at all. Any additional financing may be dilutive to stockholders or may require us to grant a lender a security interest in our assets. The amount of funding we may need will depend on many factors, including:

•the revenue generated by our iRhythm Services;

•the costs, timing, and risks of delay of additional regulatory approvals;

•the expenses we incur in manufacturing, developing, selling, and marketing our iRhythm Services;

•our ability to scale our manufacturing operations to meet demand for the iRhythm ACM Systems used in our current and any future iRhythm Services or other offerings;

•the costs of filing, prosecuting, defending, and enforcing any patent claims and other intellectual property rights;

•the rate of progress and cost of our clinical trials and other development activities;

•the success of our research and development efforts;

•the emergence of competing or complementary technologies;

•the terms and timing of any collaborative, licensing, and other arrangements that we may establish;

•the cost of ongoing compliance with legal and regulatory requirements, and third-party payors’ policies;

•the cost of obtaining and maintaining regulatory or payor clearance or approval for our current or future offerings including those integrated with other companies’ products; and

•the acquisition of business, products, and technologies.

We also may have to reduce sales, marketing, customer support, or other resources devoted to our iRhythm Services. Any of these factors could harm our business and financial condition.

Our ability to use our net operating losses (“NOLs”) to offset future taxable income may be subject to certain limitations which could subject our business to higher tax liability. We may be limited in the portion of NOL carryforwards that we can use in the future to offset taxable income for U.S. federal and state income tax purposes, and federal tax credits to offset federal tax liabilities. Sections 382 and 383 of the Code place a formula limit on how much NOLs and tax credits a corporation can use in a tax year after a change in ownership. Avoiding an ownership change is generally beyond our control. We could experience an ownership change that might limit our use of NOLs and tax credits in the future. In addition, realization of deferred tax assets, including NOL carryforwards, depends upon our future earnings in the applicable tax jurisdictions.

There is also a risk that due to regulatory changes or changes to federal or state law, such as suspensions on the use of NOLs, or other unforeseen reasons, our existing NOLs could expire or otherwise be unavailable either in whole or in part to offset future income tax liabilities. For example, under the Tax Cuts and Jobs Act (“TCJA”), NOLs arising in taxable years beginning after December 31, 2017 may offset no more than 80% of current taxable income (without regard for certain deductions). Therefore, we may be required to pay U.S. federal income taxes in future years despite the NOL carryforwards we have accumulated.

Risks Related to Other Legal and Regulatory Matters

We are subject to legal proceedings and government investigations that could adversely affect our business, financial condition, and results of operations.

In addition, the expense of litigation and the timing of this expense from period to period are difficult to estimate and subject to change. Litigation and other claims are subject to inherent uncertainties and management’s view of these matters may change in the future. Given the uncertain nature of legal proceedings generally, we are not able in all cases to estimate the amount or range of loss that could result from an unfavorable outcome. We could incur judgments or enter into settlements of claims that could have a material adverse effect on our results of operations in any particular period.

For example, as discussed further in Note 8, Commitments and Contingencies, to the Consolidated Financial Statements, in March 2021, we received a grand jury subpoena from the U.S. Attorney’s Office for the Northern District of California requesting information related to communications with FDA and our iRhythm ACM Systems, and, in September 2021, received a subpoena requesting additional information. On April 4, 2023, we received a Subpoena Duces Tecum from the Consumer Protection Branch, Civil Division of the DOJ, requesting production of various documents regarding our products and services. In addition, on May 25, 2023, we received a warning letter from FDA, which resulted from the inspection of our facility located in Cypress, California that concluded in August 2022. The warning letter alleged non-conformities to regulations for medical devices, including medical device reporting requirements, relating to our Zio AT System and medical device quality system requirements. On July 15, 2024, FDA initiated inspections of our Cypress and San Francisco facilities. We received 483 observations at the close of the inspection. On December 12, 2025, we received a civil investigative demand from DOJ’s Civil Division’s Commercial Litigation Branch seeking information and documents related to Zio AT and our associated claims for reimbursement. We have cooperated, and are continuing to cooperate, fully in connection with these matters.

Further, three decisions from the U.S. Supreme Court in July 2024 may lead to an increase in litigation against regulatory agencies that could create uncertainty and thus negatively impact our business. The first decision overturned established precedent that required courts to defer to regulatory agencies’ interpretations of ambiguous statutory language. The second decision overturned regulatory agencies’ ability to impose civil penalties in administrative proceedings. The third decision extended the statute of limitations within which entities may challenge agency actions. These cases may result in increased litigation by industry parties against regulatory agencies and impact how such agencies choose to pursue enforcement and compliance actions. However, the specific, lasting effects of these decisions, which may vary within different judicial districts and circuits, is unknown. We also cannot predict the extent to which FDA and SEC regulations, policies, and decisions may become subject to increasing legal challenges, delays, and changes.

Compliance with requirements of being a public company may strain our resources and divert management’s attention.

As a public company, we are subject to laws and regulations relating to corporate governance and public disclosure, including the Sarbanes-Oxley Act of 2002, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the rules and regulations implemented by the SEC, and The Nasdaq Global Select Market listing rules. Compliance with these laws and regulations, including new laws and regulations or revisions to existing laws and regulations, has required and will continue to require, substantial management time and oversight and the incurrence of significant accounting and legal costs. These laws, regulations, and standards are subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We intend to continue to invest resources to comply with evolving laws, regulations, and standards, and this investment may result in increased general and administrative expenses and a diversion of management’s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, regulations, and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to their application and practice, regulatory authorities may initiate legal proceedings against us and our business may be adversely affected.

We could be subject to changes in our tax rates, new U.S. or international tax legislation, or additional tax liabilities.

We are subject to taxes in the United States and numerous foreign jurisdictions, where certain of our subsidiaries are organized. The tax laws in the United States and in other countries in which we and our subsidiaries do business could change on a prospective or retroactive basis, and any such changes could adversely affect our business and financial condition. Our effective tax rates could be affected by numerous factors, including changes in the mix of earnings in countries with differing statutory tax rates, changes in the valuation of deferred tax assets and liabilities, and changes in tax laws or their interpretation, both in and outside the United States.

For example, under the TCJA, as amended by the legislation commonly known as the One Big Beautiful Bill Act (“OBBBA”), for tax years beginning after December 31, 2021, taxpayers are required to capitalize and amortize certain research and development expenditures over fifteen years if incurred in foreign jurisdictions. For tax years beginning after December 31, 2021, and beginning on or before December 31, 2024, taxpayers generally were required to capitalize and amortize certain research and development expenditures over five years if incurred in the United States; however, beginning after that period, the OBBBA restored immediate deductibility of research and development expenditures incurred in the United States. In addition, we have a presence in the UK, as well as sales in the UK, such that any changes in tax laws in the UK will impact our business. The overall impact of these changes is uncertain, and our business and financial condition could be adversely affected.

In addition, the Organization for Economic Cooperation and Development has proposed a global minimum tax of 15% of reported profits (“Pillar 2”) that has been agreed upon in principle by over 140 countries. Many countries have taken steps to incorporate Pillar 2 into their domestic tax laws. While neither BEAT nor Pillar 2 impact our results of operations currently, if applicable in the future, they could have an impact on our financial results, the extent of which is uncertain.

Our tax returns and other tax matters also are subject to examination by the U.S. Internal Revenue Service and other tax authorities and governmental bodies. We regularly assess the likelihood of an adverse outcome resulting from these examinations to determine the adequacy of our provision for taxes. We cannot guarantee the outcome of these examinations. If our effective tax rates were to increase, particularly in the United States, or in other jurisdictions implementing legislation to reform existing tax legislation, including the UK, or if the ultimate determination of our taxes owed is for an amount in excess of amounts previously accrued, our financial condition, operating results, and cash flows could be adversely affected.

We may be liable for contamination or other harm caused by materials that we handle, and changes in environmental regulations could cause us to incur additional expense.

Our research and development and manufacturing operations may involve the use or handling of hazardous materials. We are subject to a variety of federal, state, local, and international laws, rules, and regulations governing the use, handling, storage, disposal and remediation of hazardous and biological materials, as well as the sale, labeling, collection, recycling, treatment, and disposal, of products containing such hazardous substances, and we incur expenses relating to compliance with these laws and regulations. If we violate environmental, health, and safety laws, including as a result of human error, equipment failure, or other cases, we could face substantial liabilities, fines, and penalties, personal injury and third-party property damage claims, and substantial investigation and remediation costs. These expenses or this liability could have a significant negative impact on our financial condition. Environmental laws could become more stringent over time, imposing greater compliance costs and increasing risks and penalties associated with violations. We are subject to potentially conflicting and changing regulatory agendas of political, business, and environmental groups. Changes to or restrictions on the procedures for hazardous or biological material storage or handling might require unplanned capital investment or relocation of our facilities. Failure to comply, or the cost of complying, with new or existing laws or regulations could harm our business, financial condition, and results of operations.

Risks Related to Intellectual Property

We may be subject to claims of infringement or misappropriation of the intellectual property rights of others, which could prohibit us from shipping affected devices, require us to obtain licenses from third parties or to develop non-infringing alternatives, and subject us to substantial monetary damages and injunctive relief.

Third parties may assert infringement or misappropriation claims against us with respect to our current or future devices and services, including our iRhythm ACM Systems. We are aware of numerous patents issued to third parties that may relate to aspects of our business, including the design and manufacture of the iRhythm ACM Systems used in connection with our iRhythm Services. Therefore, we cannot be certain that we have not infringed the intellectual property rights of such third parties or others. Further, the intellectual property ownership and licensed rights, including patent rights, surrounding AI technologies, which we are increasingly building into our products and services, have not been fully addressed by U.S. courts or other federal, state or foreign laws or regulations, and the use or adoption of AI technologies in our products and services may expose us to copyright infringement, patent infringement, or other intellectual property misappropriation claims. Our competitors may assert that our iRhythm ACM Systems or the methods we employ to deliver our iRhythm Services are covered by U.S. or foreign patents held by them and we may be required to settle such allegations in the future. This risk is exacerbated by the fact that there are numerous issued patents and pending patent applications relating to remote cardiac monitoring services and the associated devices granted to third parties. As the number of competitors in the remote cardiac monitoring market grows, the possibility of patent infringement by us or a patent infringement claim against us increases. If we are unable to successfully defend any such claims as they may arise or enter into or extend settlement and license agreements on acceptable terms or at all, our business operations may be harmed.

Although patent and intellectual property disputes in the healthcare and medical devices

area have often been settled through licensing or similar arrangements, costs associated with such arrangements may be substantial and would likely include ongoing royalties.

We currently rely on or incorporate, and will in the future rely on or incorporate, technology that we license from third parties, including software, into our solutions. We cannot be certain that our licensors do not or will not infringe on the intellectual property rights of third parties or that our licensors have or will have sufficient rights to the licensed intellectual property in all jurisdictions in which we may sell our platform. Some of our agreements with our licensors may be terminated by them for convenience, or otherwise provide for a limited term. If we are unable to continue to license technology because of intellectual property infringement claims brought by third parties against our licensors or against us, or if we are unable to continue our license agreements or enter into new licenses on commercially reasonable terms, our ability to develop and sell solutions and services containing or dependent on that technology would be limited, and our business, including our financial conditions, cash flows and results of operations could be harmed. Additionally, if we are unable to license technology from third parties, we may be forced to acquire or develop alternative technology, which we may be unable to do in a commercially feasible manner, or at all, and may require us to use alternative technology of lower quality or performance standards. This could limit or delay our ability to offer new or competitive solutions and increase our costs. Third-party software we rely on may be updated infrequently, unsupported or subject to vulnerabilities that may not be resolved in a timely manner, any of which may expose our solutions to vulnerabilities. Any impairment of the technologies or of our relationship with these third parties could harm our business, operating results, and financial condition.

Further, if we are found to infringe third-party patents, a court could order us to pay damages to compensate the patent owner for the infringement, such as a reasonable royalty amount and/or profits lost by the patent owners, along with prejudgment and/or post-judgment interest. Furthermore, if we are found to willfully infringe third-party patents, we could, in addition to other penalties, be required to pay treble damages; and if the court finds the case to be exceptional, we may be required to pay attorneys’ fees for the prevailing party. If we are found to infringe third-party copyrights or trademarks or misappropriate third-party trade secrets, based on the intellectual property at issue, a court could order us to pay statutory damages, actual damages, or profits, such as reasonable royalty or lost profits of the owners, unjust enrichment, disgorgement of profits, and/or a reasonable royalty, and the court could potentially award attorneys’ fees or exemplary or enhanced damages. If litigation were to be initiated by intellectual property owners, there could significant legal fees and costs incurred in defending litigation (which may include filing administrative actions to attack the intellectual property) as well as a potential monetary settlement payment to the owners, even if the matter is resolved before going to trial. Moreover, the owners may take an overly aggressive approach and/or include multiple allegations in a single litigation.

Our inability to adequately protect our intellectual property could allow our competitors and others to produce devices and offer services based on our technology, which could substantially impair our ability to compete.

Our success and our ability to compete depend, in part, upon our ability to maintain the proprietary nature of our technologies. We rely on a combination of patent, copyright, and trademark law, and trade secrets, nondisclosure agreements, unfair competition laws, and other related laws, and contractual provisions to protect our intellectual property with our customers, third-party partners, and consultants. However, such methods may not be adequate to protect us or permit us to gain or maintain a competitive advantage.

For example, our patent applications may not issue as patents in a form that will be advantageous to us, or at all. Our issued patents, and those that may issue in the future, may be challenged, invalidated, or circumvented, which could limit our ability to stop competitors from marketing related devices and services. We cannot be certain that we were the first to make the inventions claimed in our pending patent applications or that we were the first to file for patent protection. Additionally, the process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in a timely manner. In addition, recent changes to the patent laws in the U.S. may bring into question the validity of certain software patents and may make it more difficult and costly to prosecute patent applications.

Despite our efforts to protect our proprietary rights, unauthorized parties may attempt to copy aspects of our platform or obtain and use information that we regard as proprietary. In particular, we are unable to predict or assure that:

•our intellectual property rights will not lapse or be invalidated, circumvented, challenged, or, in the case of third-party intellectual property rights licensed to us, be licensed to others;

•our intellectual property rights will provide competitive advantages to us;

•rights previously granted by third parties to intellectual property licensed or assigned to us, including portfolio cross-licenses, will not hamper our ability to assert our intellectual property rights or hinder the settlement of currently pending or future disputes;

•any of our pending or future patent, copyright, or trademark applications will be issued or have the coverage originally sought;

•we will be able to enforce our intellectual property rights in certain jurisdictions where competition is intense or where legal protection may be weak; or

•we have sufficient intellectual property rights to protect our products or our business.

These agreements may not provide meaningful protection for our trade secrets, know-how, or other proprietary information in the event of any unauthorized use, misappropriation, or disclosure of such trade secrets, know-how, or other proprietary information. There can be no assurance that employees, consultants, vendors, and clients have executed such agreements or have not breached or will not breach their agreements with us, that we will have adequate remedies for any breach, or that our trade secrets will not otherwise become known or independently developed by competitors. Lastly, the measures we employ to limit the access and distribution of our proprietary information may not prevent unauthorized use or disclosure of our proprietary technology or intellectual property. As such, we cannot guarantee that the steps taken by us will prevent misappropriation of our technology.

We cannot assure you that our trademark applications will be approved. Further, during trademark registration proceedings, we may receive rejections. Although we are given an opportunity to respond to those rejections, we may be unable to overcome such rejections. In addition, in proceedings before the USPTO and in proceedings before comparable agencies in many foreign jurisdictions, third parties are given an opportunity to oppose pending trademark applications and to seek to cancel registered trademarks. Opposition or cancellation proceedings may be filed against our trademarks, and our trademarks may not survive such proceedings.

To protect our proprietary rights, we may in the future need to assert claims of infringement against third parties. The outcome of litigation to enforce our intellectual property rights in patents, copyrights, trade secrets, or trademarks is highly unpredictable, could result in substantial costs and diversion of resources, and could have a material adverse effect on our business, financial condition, and results of operations regardless of the final

outcome of such litigation. In the event of an adverse judgment, a court could hold that some or all of our asserted intellectual property rights are not infringed, or are invalid or unenforceable, and could award attorneys’ fees.

Despite our efforts to safeguard our unpatented and unregistered intellectual property rights, we may not succeed in doing so or the steps taken by us in this regard may not be adequate to detect or deter misappropriation of our technology or to prevent an unauthorized third party from copying or otherwise obtaining and using our devices, technology, or other information that we regard as proprietary. In addition, third parties may be able to design around our patents. Furthermore, the laws of foreign countries may not protect our proprietary rights to the same extent as the laws of the United States.

Risks Related to Privacy and Security

Cybersecurity risks, including those involving network security breaches, services interruptions and other incidents affecting the confidentiality, integrity or availability of our data and systems, could result in the compromise of confidential data or critical systems and give rise to potential harm to our patients, remediation costs and other expenses, expose us to liability under HIPAA, breach notification laws, consumer protection laws, or other common law theories, subject us to litigation and federal and state governmental inquiries, damage our reputation, and otherwise be disruptive to our business and operations.

Cybersecurity threats can come from a variety of sources, ranging in sophistication from an individual hacker to malfeasance by employees, consultants or service providers to criminal or other unauthorized threat actors, including state-sponsored attackers. Unauthorized parties may also attempt to gain access to our systems or facilities through fraud, trickery or other forms of deceiving our employees, and contractors. Cyber threats may be generic, or they may be custom-crafted against our information systems. Cyber incidents can result from deliberate attacks or unintentional events. Over the past several years, cyber-attacks and other cyber incidents have become more prevalent and much harder to detect and defend against. For example, during the first quarter of 2024, we experienced a temporary delay in the billing of our contracted and non-contracted payer customers, performed by our third-party claims processing vendor. The delay was due to a cybersecurity incident experienced by Change Healthcare, a division of UnitedHealth Group, which one of our third-party vendors engages for services relating to billing and collections. The delay in billing resulted in a temporary delay in our cash collections. Risks related to our reliance on third-party vendors, industry concentration risks and single points of failure could materially affect our collections and operations.

Our internal technology systems and infrastructure, and those of our contractors, are vulnerable to damage from natural disasters, acts of terrorism, war and other acts of foreign governments and failures of telecommunication, electrical and other critical systems. In addition, hardware, software or applications we develop or procure from third parties may contain defects in design or manufacture or other problems that could unexpectedly compromise information security or other problems that unexpectedly could interfere with our business operations. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may not immediately produce signs of intrusion, we may be unable to anticipate these incidents or techniques, timely discover them, or implement adequate preventative measures.

We have in the past been subject to cyber-attacks and data breaches and expect that we will be subject to additional cyber-attacks in the future and may experience future data breaches and other security incidents. As a result, cybersecurity, physical security and the continued development and enhancement of our controls, processes and practices designed to protect our enterprise, information systems and data from attack, damage or unauthorized access remain a priority for us. Public company cybersecurity disclosure requirements may necessitate prompt disclosure of material incidents and enhanced risk management and governance disclosures, which could increase compliance costs and expose us to enforcement, shareholder litigation, and reputational harm if our controls are deemed inadequate. Our cyber insurance may not cover all losses, limits may be insufficient, and coverage could become more expensive or unavailable.

If our Zio devices are subject to cybersecurity vulnerabilities leading to potential harm to patients or compromises data security and confidentiality, we may be required to initiate field actions, including device recalls, or subject to government inspections, investigations or enforcement actions. In addition to any other risks this may present, this could cause significant harm to our brand reputation and consumer trust in our devices.

The secure maintenance, processing, and transmission of data is critical to our business operations and we are dependent on sophisticated information technology systems to operate our business. System failures or outages, including any potential disruptions due to significantly increased global demand on certain cloud-based systems, or failures to adequately scale our data platforms and architectures to support patient care could compromise our ability to perform these functions in a timely manner, which could harm our ability to conduct business or delay our financial reporting. We have implemented multiple layers of security measures and monitoring to protect the confidentiality, integrity, and availability of this data and the systems and devices that store and transmit such data. Despite our security measures and business controls, which undergo routine testing internally and by external parties, our information technology and infrastructure may still be vulnerable to attacks. We also rely on third-party service providers, including cloud, claims, and payment vendors; their cybersecurity or availability failures could materially disrupt our operations, and we may have limited ability to monitor or control their security posture beyond contractual and diligence measures.

Cyber-attacks aimed at accessing our devices and services, or related devices and services, and modifying or using them in a way inconsistent with our FDA marketing authorizations and regulatory certifications or approvals in the EU, Switzerland, Japan and the UK, could create risks to patients.

Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve healthcare and increase the ability of healthcare providers to treat patients and of patients to manage their conditions and are subject to extensive oversight from FDA and foreign regulatory authorities with requirements designed to manage the risks of cyber-attacks with the potential to impact patient safety.

These guidance documents serve as an indicator of agency expectations for the cybersecurity oversight of the devices as they are deployed for use by patients and HCPs, and the assurance that cybersecurity is appropriately integrated into a company’s quality system. If we do not implement quality measures to manage cybersecurity and minimize or avoid risks of a potential cyber-attack that impacts our devices and services in a way that regulators deem satisfactory, this could impact our product applications and in addition we could be subject to a range of FDA enforcement action or investigation by other regulatory agencies or enforcement bodies including DOJ, and such a situation could trigger the need for a recall, a hold on the distribution of our products, or require other corrective actions to our products.

In the EU, a number of interlocking rules regulate cybersecurity for medical devices. For example, the new Cybersecurity Directive (EU) 2022/2555 (also known as the NIS 2 Directive (Network and Information Security) entered into force in January 2023. The EU NIS 2 Directive affects Critical National Infrastructure (CNI) providers, which includes the health sector and the manufacturers of medical devices considered to be critical during a public health emergency, as well as other covered entities. The requirements in the NIS 2 Directive will sit alongside the cybersecurity requirements addressed in the EU MDR, which are supplemented by specific guidance issued by the EU’s Medical Device Coordination Group. Additional EU and UK legislative developments, including product cybersecurity rules and evolving device software requirements, may impose further security-by-design, vulnerability handling, and reporting obligations applicable to our products and operations including the ePrivacy Directive, the Data Act, and the AI Act; however, the timing, scope, and impact of these measures remain subject to national implementing acts and other ongoing developments. In the UK, the government announced as part of its consultations on the future regulation of medical devices, that it intends to develop legislation to impose cybersecurity requirements for software as a medical device, including for AI.

We are subject to complex and evolving U.S. and foreign laws and regulations and other requirements regarding privacy, data protection, security, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, changes to our business practices, monetary penalties, increased cost of operations, or declines in customer growth or engagement, or otherwise harm our business.

These laws include foreign, federal and state healthcare privacy laws, telehealth laws, breach notification laws and consumer protection laws. These frameworks impose stringent privacy and security standards and potentially significant non-compliance penalties and liability. U.S. and foreign legislators and regulators may make legal and regulatory changes, or interpret and apply existing laws, in ways that require us to incur substantial costs, expose us to unanticipated civil or criminal liability, or cause us to change our business practices. Further, if we fail to comply with applicable privacy laws, we could face civil and criminal penalties, or claims for breach of contract. In the United States, there are numerous federal and state patient and consumer, privacy and data security laws and regulations governing the collection, use, disclosure, protection and breach of personal data. HIPAA, for example, establishes privacy standards that limit the use and disclosure of individually identifiable health information (or “protected health information”); requires the implementation of reasonable administrative, physical and technological safeguards to protect the privacy and security of this information and ensure its confidentiality, integrity and availability; and sets forth notification standards in the event of a data breach. In addition, states have shown an increased interest in regulating personal data in general (for example, through state consumer privacy laws and data breach notification laws), and specifically with respect to consumer health data. Outside HIPAA, over a third of U.S. states have passed comprehensive state consumer privacy laws and several have passed consumer health data laws which impose additional consent, transparency, data minimization, geo-fencing, and third-party sharing restrictions that may apply to health-related data that is not regulated as protected health information, all of which are subject to active enforcement by state attorneys general.

For example, data localization laws in some countries generally mandate that certain types of data collected in a particular country be stored and/or processed solely within that country. Other foreign laws, such as the GDPR and Swiss data protection laws, impose strict requirements for processing and cross-border transfers of personal data outside of the EU, UK or Switzerland to a “third country,” including the United States, unless particular compliance mechanisms are implemented. The mechanisms that we and many other companies rely upon for such data transfers (for example, standard contractual clauses or the EU-U.S. and Swiss-U.S. Data Privacy Framework (“DPF”) and the UK extension to the DPF) are the subject of legal challenge, regulatory interpretation, and judicial decisions. While we maintain EU-U.S., Swiss-U.S. and UK-U.S. DPF certifications, we still rely on the standard contractual clauses for intercompany data transfers from the EU, Switzerland, and the UK to the United States in certain situations.

Determining how protected health information may be used, shared, or processed in compliance with applicable privacy standards and our contractual obligations can be complex and may be subject to changing interpretation. Both foreign and U.S. legislators and regulators may make legal and regulatory changes, or interpret and apply existing laws, in ways that require us to incur substantial costs, expose us to unanticipated civil or criminal liability, or cause us to change our business practices. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints and/or regulatory investigations or fines; we may have to stop using certain tools and vendors and make other operational changes; and/or it could adversely affect our business, financial condition, results of operations and prospects.

Risks Related to Our Common Stock

If securities or industry analysts do not publish research or reports about our business, or if they issue an adverse or misleading opinion regarding our stock, our stock price and trading volume could decline.

The trading market for our common stock will be influenced by the research and reports that industry or securities analysts publish about us or our business. We do not have any control over the analysts, or the content and opinions included in their reports. If any of the analysts who cover us issues an adverse or misleading opinion regarding us, our business model, our intellectual property, or our stock performance, or if any third-party preclinical studies and clinical trials involving our iRhythm Services or our results of operations fail to meet the expectations of analysts, our stock price would likely decline. If one or more of such analysts cease coverage of us or fail to publish reports on us regularly, we could lose visibility in the financial markets, which in turn could cause a decline in our stock price or trading volume.

Our stock price is highly volatile and investing in our stock involves a high degree of risk, which could result in substantial losses for investors.

Historically, the market price of our common stock, like the securities of many other medical service providers that are public companies, has fluctuated. It is likely that our stock price will continue to be volatile in the future.

The market price of our common stock is influenced by many factors that are beyond our control, including the following:

•securities analyst coverage or lack of coverage of our common stock or changes in their estimates of our financial performance;

•variations in quarterly operating results;

•future sales of our common stock by our stockholders;

•investor perception of us and our industry;

•announcements by us or our competitors of significant agreements, acquisitions, or capital commitments or service or product launches or discontinuations;

•changes in market valuation or earnings of our competitors;

•negative business or financial announcements regarding our partners;

•regulatory actions;

•legislation and political conditions;

•cybersecurity events;

•global health pandemics, such as the COVID-19 pandemic;

•terrorist acts, acts of war, or periods of widespread civil unrest, including ongoing geopolitical conflicts, such as the war in Ukraine and conflicts in the Middle East and Venezuela; and

•general economic, industry, and market conditions, including inflation, interest rate volatility, uncertainty with respect to the federal debt ceiling and budget and potential government shutdowns related thereto, potential instability in the global banking system, and fluctuating foreign currency exchange rates.

Please also refer to the factors described elsewhere in this “Risk Factors” section. In addition, the stock market in general has experienced extreme price and volume fluctuations that have often been unrelated and disproportionate to the operating performance of companies in our industry. These broad market and industry factors may materially reduce the market price of our common stock, regardless of our operating performance.

Securities class action litigation has often been brought against public companies that experience periods of volatility in the market prices of their securities. Securities class action litigation could result in substantial costs and a diversion of our management’s attention and resources.

Anti-takeover effects of our charter documents and Delaware law could make a merger, tender offer, or proxy contest difficult, thereby depressing the trading price of our common stock.

There are provisions in our amended and restated certificate of incorporation and amended and restated bylaws, as well as provisions in the Delaware General Corporation Law (“DGCL”), that may discourage, delay, or prevent a change of control of our company that might otherwise be beneficial to stockholders. These provisions could also make it difficult for stockholders to elect directors who are not nominated by current members of our board of directors or take other corporate actions, including effecting changes in our management. For example:

•our board of directors may, without stockholder approval, issue shares of preferred stock with special voting or economic rights;

•our stockholders do not have cumulative voting rights and, therefore, each of our directors can only be elected by holders of a majority of our outstanding common stock;

•a special meeting of stockholders may only be called by a majority of our board of directors, the chairman of our board of directors, our chief executive officer, or our president (in the absence of a chief executive officer);

•our stockholders may not take action by written consent; and

•we require advance notice for nominations for election to the board of directors or for proposing matters that can be acted upon by stockholders at stockholder meetings.

Moreover, Section 203 of the DGCL may discourage, delay, or prevent a change of control of our company. Section 203 imposes certain restrictions on mergers, business combinations, and other transactions between us and holders of 15% or more of our common stock.

The exclusive forum provision in our organizational documents may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or any of our directors, officers, or other employees, or the underwriters of any offering giving rise to such claim, which may discourage lawsuits with respect to such claims.

This exclusive forum provision does not apply to suits brought to enforce a duty or liability created by the Exchange Act.

Any person or entity purchasing or otherwise acquiring or holding any interest in any of our securities shall be deemed to have notice of and consented to our exclusive forum provisions. The exclusive forum provisions may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or any of our directors, officers, or other employees, which may discourage lawsuits with respect to such claims. Alternatively, if a court were to find the choice of forum provisions contained in our amended and restated certificate of incorporation or amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving such action in other jurisdictions, which could harm our business, operating results, and financial condition.

We do not intend to pay dividends for the foreseeable future.

We have never declared or paid cash dividends on our capital stock. We currently intend to retain all available funds and any future earnings to support operations and to finance the operation and expansion of our business, and we do not expect to declare or pay any dividends on our capital stock in the foreseeable future. As a result, stockholders must rely on sales of their common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investments.

Risks Related to Our Debt

Our indebtedness could adversely affect our financial health and our ability to respond to changes in our business.

As a result of our level of increased debt following the completion in 2024 of the offering of our 1.50% Convertible Senior Notes due 2029 of our wholly owned subsidiary, iRhythm Technologies, (the “2029 Notes”), of which we have provided a full and unconditional guarantee:

•our vulnerability to adverse general economic conditions and competitive pressures is heightened;

•we are required to dedicate a larger portion of our cash flow from operations to interest payments, limiting the availability of cash for other purposes;

•our flexibility in planning for, or reacting to, changes in our business and industry may be more limited; and

•our ability to obtain additional financing in the future for working capital, capital expenditures, acquisitions, general corporate purposes or other purposes may be impaired.

In addition, we cannot be sure that additional financing will be available when required or, if available, will be on terms satisfactory to us. Further, even if we are able to obtain additional financing, we may be required to use such proceeds to repay a portion of our debt.

Furthermore, neither we nor iRhythm Technologies are restricted under the terms of the indenture governing the 2029 Notes (the "Indenture") from incurring additional debt, securing future debt, recapitalizing our debt, repurchasing our stock, pledging our assets, making investments, paying dividends, guaranteeing debt or taking a number of other actions that could have the effect of diminishing our ability to make payments on the 2029 Notes when due.

Servicing our debt requires a significant amount of cash, and we may not have sufficient cash flow from our business to pay our indebtedness.

Our ability to refinance any current or future indebtedness will depend on the capital markets and our financial condition at such time. In addition, any of our future current or future debt agreements may contain restrictive covenants that may prohibit us from adopting any of these alternatives. Our failure to comply with these covenants could result in an event of default which, if not cured or waived, could result in the acceleration of our debt.

In addition, we may be unable to repurchase the 2029 Notes upon a fundamental change when required by the holders or repay prior to maturity any accelerated amounts due under the 2029 Notes upon an event of default or redeem the 2029 Notes or pay cash upon conversion of the 2029 Notes, and our future debt may contain limitations on our ability to pay cash upon conversion, repurchase or repayment of the 2029 Notes.

The capped call transactions may affect the value of our common stock.

In connection with the pricing of the 2029 Notes, iRhythm Technologies entered into capped call transactions with the option counterparties. The 2029 Capped Calls are expected generally to reduce the potential dilution to our common stock upon conversion of the 2029 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2029 Notes, as the case may be, with such reduction and/or offset subject to a cap.

The option counterparties or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock or other securities of ours in secondary market transactions at any point prior to the maturity of the 2029 Notes (and are likely to do so during any observation period related to a conversion of 2029 Notes or following any redemption or repurchase of 2029 Notes by us, in each case, if we elect to unwind a corresponding portion of the 2029 Capped Calls in connection with such conversion or such redemption or repurchase). This activity could also cause or avoid an increase or a decrease in the market price of our common stock.

We are subject to counterparty risk with respect to the capped call transactions.

The option counterparties are financial institutions or affiliates of financial institutions, and we are subject to the risk that one or more of such option counterparties may default under the 2029 Capped Calls. Our exposure to the credit risk of the option counterparties is not secured by any collateral. Past and current global economic conditions, including recent changes in prevailing interest rates, have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If any option counterparty becomes subject to bankruptcy or other insolvency proceedings, we will become an unsecured creditor in those proceedings with a claim equal to our exposure at that time under the capped call transaction with such option counterparty. Our exposure will depend on many factors but, generally, an increase in our exposure will be positively correlated to an increase in our common stock market price and in the volatility of the market price of our common stock. In addition, upon a default by an option counterparty, we may suffer adverse tax consequences and dilution with respect to our common stock. We can provide no assurance as to the financial stability or viability of any option counterparty.

Conversion of the 2029 Notes will, to the extent we deliver shares upon conversion of such 2029 Notes, dilute the ownership interest of existing stockholders, including holders who had previously converted their 2029 Notes, or may otherwise depress our stock price.

The 2029 Notes, although issued by iRhythm Technologies, our wholly owned subsidiary, are convertible into shares of our common stock. The conversion of some or all of the 2029 Notes will dilute the ownership interests of existing stockholders to the extent we deliver shares upon conversion of any of such 2029 Notes. Any sales in the public market of the common stock issuable upon such conversion could adversely affect prevailing market prices of our common stock. In addition, the existence of the 2029 Notes may encourage short selling by market participants because the conversion of the 2029 Notes could be used to satisfy short positions, or anticipated conversion of the 2029 Notes into shares of our common stock could depress our stock price.

The conditional conversion feature of the 2029 Notes, if triggered, may adversely affect our financial condition and operating results.

In the event the conditional conversion feature of the 2029 Notes is triggered, holders of the 2029 Notes will be entitled to convert the 2029 Notes at any time during specified periods at their option. Currently, holders of the 2029 Notes are entitled to convert through March 4, 2026 as a result of the Holding Company Transaction. If one or more holders elect to convert their 2029 Notes, unless we elect to satisfy our conversion obligation by delivering solely shares of our common stock (other than cash in lieu of any fractional share), we would be required to settle a portion or all of our conversion obligation through the payment of cash, which could adversely affect our liquidity. In addition, even if holders of the 2029 Notes do not elect to convert their 2029 Notes, we could be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the 2029 Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital.

The accounting method for convertible debt securities that may be settled in cash, such as the 2029 Notes, could have a material effect on our reported financial results.

Under current accounting principles, we accounted for the entire amount of the 2029 Notes as debt on our balance sheet, as opposed to separately accounting for the liability and equity components of the 2029 Notes. Additionally, under the “if-converted” method, diluted earnings per share is generally calculated assuming that all the debt securities were converted solely into shares of common stock at the beginning of the reporting period, unless the result would be anti-dilutive, which could adversely affect our diluted earnings per share. However, if we were to make an irrevocable election to settle the principal amount of the 2029 Notes in cash, the if-converted method for calculating diluted earnings per share will only take into consideration the number of shares that would be issuable based on the extent to which the conversion value of such 2029 Notes exceeds their principal amount, provided the effect were dilutive. Furthermore, if any of the conditions to the convertibility of the 2029 Notes is satisfied, then we may be required under applicable accounting standards to reclassify the liability carrying value of the 2029 Notes as a current, rather than a long-term, liability. This reclassification could be required even if no holders convert their 2029 Notes and could materially reduce our reported working capital.

General Risk Factors

We may be impacted by domestic and global economic and political conditions, as well as natural disasters, severe weather, pandemics, and other catastrophic events, which could adversely affect our business, financial condition, or results of operations.

A severe or prolonged economic downturn or period of global political instability could drive hospitals and other healthcare professionals to tighten budgets and curtail spending, which could in turn negatively impact rates at which physicians prescribe our iRhythm Services. In addition, higher unemployment rates or reductions in employer-provided benefits plans could result in fewer commercially insured patients, resulting in a reduction in our margins and impairing the ability of uninsured patients to make timely payments. A weak or declining economy could also strain our suppliers, possibly resulting in supply delays and disruptions. There is also a risk that one or more of our current service providers, suppliers, or other partners may not survive such difficult economic times, which could directly affect our ability to attain our goals on schedule and on budget. If the current equity and credit markets deteriorate, it may make any necessary debt or equity financing more difficult, more costly, and more dilutive. We cannot predict the timing, strength, or duration of an economic downturn, instability, or recovery, whether worldwide, in the United States, or within our industry.

In addition, the BIOSECURE Act was signed into law in December 2025 as part of the National Defense Authorization Act restricting U.S. federal contracts and funding for companies using biotech equipment or services from "biotechnology companies of concern" ("BCCs"), to curb national security risks. A phased rollout includes publishing lists of BCCs, issuing guidance, and revising Federal Acquisition Regulations with full prohibitions taking effect over a period of years. Compliance with this law will require us to perform additional supply chain due diligence and potentially change supplier sources if we wish to do business with the U.S. government such as the Veterans Administration. We cannot predict what actions may ultimately be taken with respect to trade relations between the United States and China or other countries, what products and services may be subject to such actions or what actions may be taken by the other countries in retaliation.

Further, climate-related events, including the increasing frequency of extreme or disruptive weather events, natural disasters, or other catastrophic events may have the potential to damage or disrupt our business and/or the business of our customers or third-party suppliers, and may cause us to experience higher attrition, losses, and additional costs to maintain or resume operations. In addition, these events may impact or delay patient visits or the ability of prescribers or patients to receive deliveries from third parties, such as the U.S. Postal Service. Further, we do not maintain insurance sufficient to compensate us for the potentially significant losses that could result from disruptions to our services. Additionally, all the aforementioned risks may be further increased if our or our partners’ disaster recovery plans are inadequate.

Environmental, social, and corporate governance (“ESG”) regulations, policies, and provisions may make our supply chain more complex and may adversely affect our relationships with customers.

There is an increasing focus from certain investors, physicians, patients, employees, and other stakeholders concerning corporate citizenship and sustainability matters and the governance of environmental and social risks. An increasing number of participants in the medical services industry are joining voluntary ESG groups or organizations, such as the Responsible Business Alliance. These ESG provisions and initiatives are subject to change, can be unpredictable, and may be difficult and expensive for us to comply with, given our reliance on our supply chain and the outsourced manufacturing of certain components and sub-assemblies of the iRhythm ACM Systems used with our iRhythm Services.

At the same time, an increasing number of stakeholders, regulators and lawmakers have expressed or pursued contrary views, including the proposal or enactment of “anti-ESG” policies, legislation, executive orders or initiatives or issued related legal opinions. Conflicting regulations and a lack of harmonization of ESG legal and regulatory environments across the jurisdictions in which we operate may create enhanced compliance risks and costs. We may also face increasing scrutiny from our investors, physicians, patients, employees and other stakeholders relating to the appropriate role of ESG practices and disclosures.

We could fail, or be perceived to fail, in our achievement of such initiatives or goals, or we could fail in fully and accurately reporting our progress on such initiatives and goals. In addition, we could be criticized for the scope of such initiatives or goals or perceived as not acting responsibly in connection with these matters.

If we are not effective in addressing ESG matters affecting our business, or setting and meeting relevant ESG goals, our reputation and financial results may suffer.

ITEM 1B. UNRESOLVED STAFF COMMENTS

Not applicable.

CYBERSECURITY

Cybersecurity Risk Management and Strategy

Cybersecurity is an important part of our risk management at iRhythm. Our cybersecurity program includes mitigating risks for our company and for other companies that may have access to our data and systems. Our board of directors recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners, and employees. The risk oversight responsibility of our board of directors and its committees is supported by our cybersecurity management reporting processes, which are designed to provide visibility to our board of directors and to our personnel that are responsible for risk assessment and information about the identification, assessment, and management of critical risks and management’s risk mitigation strategies. These areas of focus include risks from cybersecurity threats as well as competitive, economic, operational, financial, legal, regulatory, privacy, compliance, and reputational risks, among others. We understand that our customers, patients, and stakeholders entrust us with sensitive data, including Protected Health Information, and we take this responsibility seriously.

We also regularly engage external parties to assist in the review of our cybersecurity risk oversight processes.

We have established policies to govern the security of our systems and the protection of customer and patient data, which include regular system updates and patches, employee training on cybersecurity and HIPAA best practices, incident reporting, and the use of encryption to secure sensitive information. Our Cybersecurity department, which reports to our CISO, is responsible for our cybersecurity program and our Global Risk & Integrity department, which reports to our CRO, is responsible for our privacy program as further discussed below. To identify, assess, and manage material cybersecurity risks, our Cybersecurity team uses a cybersecurity risk assessment process aligned with leading frameworks such as the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework and HIPAA. To ensure appropriate and consistent risk evaluation and decision-making processes among our Cybersecurity and Global Risk & Integrity departments, we utilize an Adjusted Risk Rating (“ARR”) system that considers certain attributes that represent impact to iRhythm, and we prioritize our actions based on our ARR system. Our cybersecurity risk assessment program provides the underlying basis for the activities our Cybersecurity and Global Risk & Integrity departments take to identify and mitigate risks from, as well as develop risk management and response strategies for, evolving and emerging cybersecurity threats.

In addition, we also regularly perform phishing tests on our employees and review our training plan at least annually for appropriate updates to address results from this testing. Further, we are focused on building and maintaining a positive cybersecurity culture through a combination of trainings, educational tools, videos, and other cybersecurity awareness initiatives. On top of annual information security awareness training for our employees, we also provide focused training for certain departments. Our security training incorporates awareness of cyber threats

(including malware, ransomware, and social engineering attacks), password hygiene, and incident reporting process, as well as physical security best practices.

We engage in the periodic assessment of our policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents, internally and through assessments by external providers. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing, penetration testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. Assessments by external providers of our cybersecurity measures include information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. The results of such internal and external assessments, audits, and reviews are reported to the audit committee and the board of directors, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews.

Based on our board of directors’ and management’s review of risks associated with cybersecurity threats, we have concluded that, to date, there have been no cybersecurity threats which have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our business strategy, operating results, or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see the risk factor titled “Cybersecurity risks, including those involving network security breaches, services interruptions and other incidents affecting the confidentiality, integrity or availability of our data and systems, could result in the compromise of confidential data or critical systems and give rise to potential harm to our patients, remediation costs and other expenses, expose us to liability under HIPAA, breach notification laws, consumer protection laws, or other common law theories, subject us to litigation and federal and state governmental inquiries, damage our reputation, and otherwise be disruptive to our business and operations."

Governance

As described above, our board of directors has an important role in the oversight of our cybersecurity risk management and strategy, with certain components of such oversight, including matters related to the security of and risks related to computerized information and technology systems, delegated to the audit committee.

At the management level, our Cyber Security and Risk departments work together to monitor our cybersecurity and risk programs, reporting to our CISO and CRO, respectively. Our CISO currently leads a team of cybersecurity professionals, has held leadership roles in the Cybersecurity team since joining us in 2019, and has over fifteen years of management experience within cybersecurity teams. Our CRO has held leadership roles in internal audit and risk for over a decade, including most recently as CRO of another public company.

Individuals in our Cybersecurity and Global Risk & Integrity departments regularly monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. Risks are escalated to the CRO and other members of management in accordance with our incident response and reporting policy.

These periodic updates include updates on our cybersecurity risk posture, including material risk assessments, the status of any projects to improve our information security systems, and the emerging cybersecurity threat landscape. The audit committee’s reviews may also include presentations by members of senior management, as well as briefings with other internal and external subject-matter experts to help broaden the board of directors’ understanding of the latest cybersecurity issues and the latest regulatory and threat landscapes. Additionally, the audit committee monitors our progress to address cybersecurity risks and opportunities, as well as

cybersecurity incident response and recovery metrics. Our management also periodically engages external service providers to conduct objective assessments of our cybersecurity program, and results of such assessments are directly reported to the audit committee. Finally, the audit committee reports out to the larger board of directors periodically on our cybersecurity risks and posture.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
IRTC	2 hours ago
GCMG	2 hours ago
ED	2 hours ago
IAUX	2 hours ago
LNC	2 hours ago
TSCO	2 hours ago
MSTR	2 hours ago
GH	2 hours ago
MIR	2 hours ago
CSGS	2 hours ago
LKQ	2 hours ago
DTM	2 hours ago
BG	2 hours ago
THRM	2 hours ago
SEM	2 hours ago
TVTX	2 hours ago
KALU	3 hours ago
LYV	3 hours ago
FTI	3 hours ago
MS	3 hours ago
ICUI	3 hours ago
ET	3 hours ago
BNL	3 hours ago
OWL	3 hours ago
BTU	3 hours ago
EFX	3 hours ago
PTCT	3 hours ago
RPD	3 hours ago
MET	3 hours ago
IEX	3 hours ago
CNDT	3 hours ago
SPSC	3 hours ago
CYH	3 hours ago
SLM	3 hours ago
STT	3 hours ago
WSC	3 hours ago
NPO	3 hours ago
FFBC	3 hours ago
SUNC	3 hours ago
FDP	3 hours ago
SUN	3 hours ago
UDMY	3 hours ago
OPEN	3 hours ago
MSEX	3 hours ago
ULS	3 hours ago
GATX	3 hours ago
RMAX	3 hours ago
CTO	3 hours ago
GLPI	3 hours ago
AIZ	3 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - IRTC

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - IRTC

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing