Medtronic is facing a class-action lawsuit alleging that the diabetes tech manufacturer illegally sold users’ personal information.
Medtronic, of course, is a giant in the diabetes tech world, perhaps best known for its closed-loop insulin pump systems. The new issue involves Medtronic’s InPen and its associated smartphone app. The InPen system utilizes a reusable smart insulin pen that sends data to an app, tracking doses and offering advice for patients using multiple daily injections (MDI). It’s a popular way for MDI users to benefit from some of the data-driven rigor that insulin pump users enjoy. The InPen app, though, was the source of the information breach.
The trouble appeared to start in April, when Medtronic announced that it had experienced an earlier data breach, in which “an unauthorized party [gained] access to consumers’ names, email addresses, IP addresses, phone numbers, and protected health information.” Medtronic sent notification letters to the nearly 60,000 customers, all users of the InPen app, whose data had been lost. But now the company is facing accusations that it sold the data deliberately.
The plaintiff, known only as A.H., filed the lawsuit in California on behalf of any customers affected by the data breach. According to The HIPAA Journal, the new lawsuit alleges that Medtronic intentionally harvested and sold the private data, violating its own policies.
The complaint, quoted at length at Fierce Biotech, states that Medtronic created “highly detailed user profiles for marketing and other commercial purposes.” The plaintiff A.H. alleges that Medtronic enabled Google to link his private health information with his real identity.
Medtronic had only recently resolved a different quality control issue with the FDA. In late 2021, after an inspection with evidently disappointing results, the FDA wrote a letter to the manufacturer detailing a number of concerns. Medtronic, it seems, failed to convince the regulator that it was committed to openly evaluating and addressing device malfunctions and complaints.
And in July, the Cybersecurity & Infrastructure Security Agency warned of a different security issue, a “high-risk vulnerability” in Medtronic’s Paceart Optima cardiac data management system which could have allowed hackers to “perform remote code executions or launch denial-of-service attacks.”
In response to the new lawsuit, Medtronic issued a statement to news outlets:
“Medtronic has not been served and will review the complaint once we receive it. It’s important to note that protecting patient information is critically important to Medtronic. We have strong processes, technologies, and people in place to safeguard and protect our information and systems, the information of our business partners, and most importantly, the privacy and safety of the patients and healthcare providers that use our products.”