Medtronic Alerts InPen App Users About Disclosures of Personal Data to Google
The medical device manufacturer Medtronic – dba Medtronic MiniMed and MiniMed Distribution Corp (Medtronic Diabetes) – has recently confirmed that the personal information of users of its InPen Diabetes Management App on iOS and Android have had some of their personal information disclosed to Google due to the use of tracking and authentication code within the InPen App.
The app utilized Google Analytics for Firebase, Crashlytics for Firebase, and Firebase Authentication. These tools disclosed certain information about app users to Google, especially when users were logged into their Google accounts at the same time that they used the InPen App. As a result, their identities and information about online activities were shared with Google. The tools were used by Medtronic Diabetes to gather information about the use of the app, identify technical issues, assess app performance, and understand user needs to provide care to customers and improve services.
Medtronic Diabetes said the data collected by these tools is analyzed at a consolidated rather than individual level and does not directly identify individual patient information, but it was determined that certain information was transmitted to Google when users were logged into their Google accounts. Medtronic Diabetes said an internal investigation was launched into the use of these tracking technologies when the potential for unauthorized disclosure of user data was discovered to determine exactly what information was potentially shared with Google.
The decision was taken to notify all users who registered for or used an InPen account since September 2020, as they may have been affected. The data disclosed to Google was dependent on user interactions with the app, and other factors, such as the browser used, whether cookies had been cleared, and if they were logged into Google when using the app.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Medtronic Diabetes said that information disclosed may have included: email address, IP address, phone number, InPen App user name and password, timestamp information related to specific InPen App events, and certain unique identifiers tied to the InPen account or mobile device. The latter includes a unique Medtronic Diabetes user identifier, unique numbers attributed to each instance the InPen App is downloaded to a particular device, and identifiers tied to a mobile device such as a MAID, IDFA, AAID, and/or IDFV.
Medtronic Diabetes said Google Analytics has been removed from the latest version of the InPen app, and plans have been made to transition from Crashlytics and Firebase Authentication to other crash reporting and authentication systems.
The data breach has been reported to the HHS’ Office for Civil Rights as affecting 58,374 individuals.
La Clínica de La Raza Reports Email Breach
La Clínica de La Raza in Oakland, CA, has reported a breach of the protected health information of 15,316 individuals. Suspicious activity was detected within certain employee email accounts on February 8, 2023, and steps were immediately taken to secure the accounts. Assisted by a third-party computer forensics firm, La Clínica was able to confirm that a limited number of employee email accounts had been accessed by unauthorized individuals at various times between January 24, 2023, and February 8, 2023.
A review of all affected email accounts and La Clínica confirmed on April 4, 2023, that they contained patient information such as names, addresses, dates of birth, financial account or payment card information, online credentials, Social Security numbers, medical treatment information, and/or health insurance information.
Affected individuals are being notified by mail and complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers were exposed.
John Muir Health Says Walnut Creek Medical Center Patient Data Has Been Exposed
John Muir Health is notifying certain Walnut Creek Medical Center patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals. The Californian healthcare provider was notified about the exposure on March 22, 2023. A member of staff at the medical center created a website in order to communicate with other staff members more efficiently about the use of medical devices and centralize information such as vendor sites, order forms, and equipment information. The website included a link to an Excel spreadsheet that contained patient information. The information in the spreadsheet was intended to be accessed internally by authorized individuals; however, it could also be accessed by individuals outside of John Muir Health. The spreadsheet contained information such as names, facility, room, diagnosis, condition, and dates.
John Muir Health said the link to the Excel file was disabled on March 23, 2023, and the website was decommissioned on March 24, 2023. The investigation confirmed that the spreadsheet had not been accessed by any unauthorized third party between September 28, 2022, and March 23, 2023, but due to limited audit records, it was not possible to determine if there had been unauthorized access between July 1, 2021, and September 27, 2022
Affected individuals have been notified by mail. The incident has been reported to the HHS’ Office for Civil Rights affecting up to 821 individuals.
