Medtronic & Edward-Elmhurst Health Sued Over Web Tracker Use
The Minneapolis, MN-based medical device manufacturer Medtronic & the Illinois health system Edward-Elmhurst Health are facing class action lawsuits over the use of website tracking technologies, which passed sensitive customer data to third parties such as Google and Meta.
Medtronic MiniMed and MiniMed Distribution Corp
A lawsuit has been filed against Medtronic MiniMed Inc. and MiniMed Distribution Corp (Medtronic) over the use of tracking technologies in its InPen diabetes management app.
The lawsuit – A.H. v. Medtronic MiniMed Inc. and MiniMed Distribution Corp – was filed in District Court for the Central District of California on behalf of plaintiff A.H, and similarly situated individuals who had their sensitive information disclosed to third parties via Google Analytics, Firebase, and Crashlytics.
Medtronic reported the data breach to the HHS’ Office for Civil Rights in April as affecting 58,374 individuals and notified customers that email addresses, IP addresses, phone numbers, InPen App usernames and passwords, timestamp information for InPen App events, and unique identifiers tied to InPen accounts or mobile devices had been impermissibly disclosed. Medtronic no longer uses Google Analytics and is transitioning from Crashlytics and Firebase authentication to other reporting and authentication platforms.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit claims Medtronic placed profit over privacy when it deliberately added these tools to the app to access and monetize user data and claims that Medtronic violated its own privacy policy as it maintained it would keep InPen app user data private and would not share user information with third parties for marketing purposes unless written authorization was obtained.
The lawsuit alleges common law invasion of privacy – intrusion upon seclusion, breach of confidence, breach of fiduciary duty, negligence, breach of implied contract, breach of implied covenant & fair dealing, unjust enrichment, and violations of the Electronic Communications Privacy Act (ECPA), California Invasion of Privacy Act (CIPA), and New York General Business Law.
The lawsuit seeks class action status, a jury trial, damages, extended credit monitoring services, attorneys’ fees, and equitable and injunctive relief to ensure that users of its app have their privacy protected. The plaintiffs and class are represented by attorneys from the law firms Milberg Coleman Bryson Phillips Grossman, PLLC, Markovits, Stock & Demarco, LLC, and Chestnut Cambronne PA.
Edward-Elmhurst Health
The lawsuit against Edward-Elmhurst Health – Arnold Stein and Diane Miller V. Edward-Elmhurst Health -was filed in Cook County Circuit Court and alleges patient privacy was violated due to the use of the Meta Pixel tracking tool on its web portals, which patients use for booking appointments and finding treatment facilities and other healthcare services.
According to the lawsuit, the Meta Pixel tracking code was added to the web portals without users’ knowledge, and transmitted “every click, keystroke and detail about their medical treatment” to Facebook. That information was tied to individual users through their Facebook IDs. The lawsuit alleges the information transmitted to Facebook was used for marketing purposes in an effort to bolster Edward-Elmhurst Health’s profits.
The lawsuit alleges the disclosures violated HIPAA, the Illinois Eavesdropping Statute, and the Illinois Consumer Fraud and Deceptive Business Practices Act. The lawsuit seeks actual and punitive damages, attorneys’ fees, and an injunction against Edward-Elmhurst Health preventing further patient privacy violations through tracking technologies. The lawsuit was filed by attorneys from Almeida Law Group LLC and Stephan Zouras, LLP.
