Medtronic is facing a class-action lawsuit alleging that the diabetes tech manufacturer illegally sold users’ personal information.
Medtronic, in fact, is a huge within the diabetes tech world, perhaps best known for its closed-loop insulin pump systems. The brand new issue involves Medtronic’s InPen and its associated smartphone app. The InPen system utilizes a reusable smart insulin pen that sends data to an app, tracking doses and offering advice for patients using multiple every day injections (MDI). It’s a preferred way for MDI users to learn from among the data-driven rigor that insulin pump users enjoy. The InPen app, though, was the source of the knowledge breach.
The difficulty appeared to start out in April, when Medtronic announced that it had experienced an earlier data breach, through which “an unauthorized party [gained] access to consumers’ names, email addresses, IP addresses, phone numbers, and guarded health information.” Medtronic sent notification letters to the nearly 60,000 customers, all users of the InPen app, whose data had been lost. But now the corporate is facing accusations that it sold the info deliberately.
The plaintiff, known only as A.H., filed the lawsuit in California on behalf of any customers affected by the info breach. In response to The HIPAA Journal, the brand new lawsuit alleges that Medtronic intentionally harvested and sold the private data, violating its own policies.
The criticism, quoted at length at Fierce Biotech, states that Medtronic created “highly detailed user profiles for marketing and other industrial purposes.” The plaintiff A.H. alleges that Medtronic enabled Google to link his private health information together with his real identity.
Medtronic had only recently resolved a distinct quality control issue with the FDA. In late 2021, after an inspection with evidently disappointing results, the FDA wrote a letter to the manufacturer detailing plenty of concerns. Medtronic, it seems, did not persuade the regulator that it was committed to openly evaluating and addressing device malfunctions and complaints.
And in July, the Cybersecurity & Infrastructure Security Agency warned of a distinct security issue, a “high-risk vulnerability” in Medtronic’s Paceart Optima cardiac data management system which could have allowed hackers to “perform distant code executions or launch denial-of-service attacks.”
In response to the brand new lawsuit, Medtronic issued an announcement to news outlets:
“Medtronic has not been served and can review the criticism once we receive it. It’s necessary to notice that protecting patient information is critically necessary to Medtronic. We now have strong processes, technologies, and folks in place to safeguard and protect our information and systems, the knowledge of our business partners, and most significantly, the privacy and safety of the patients and healthcare providers that use our products.”