September 6, 2023 – InPen Data Breach Update: Class Action Filed in California
The makers of the InPen diabetes monitoring system have been hit with a proposed class action lawsuit in California.
The case, filed on August 30, 2023, alleges Medtronic and MiniMed have violated InPen users’ privacy rights by installing Google Analytics and other web tracking technologies on the InPen Diabetes Management app for iOS and Android. The suit claims the companies have disclosed information about patients’ insulin doses and communications with healthcare providers, among other sensitive data, to Google and other third parties without users’ knowledge or consent.
Read ClassAction.org’s write-up of the lawsuit here.
At A Glance
This Alert Affects:
Anyone who received a data breach letter from Medtronic informing them that their or their child’s personal information may have been shared with Google
What’s Going On?
Medtronic recently reported that users of its InPen diabetes management app may have had their private health information secretly shared with Google through tracking and analytics tools. Now, attorneys working with ClassAction.org are investigating whether a class action lawsuit can be filed on behalf of consumers over potential privacy violations.
How Could a Lawsuit Help?
A class action lawsuit could help compensate InPen users for the unauthorized disclosure of their medical information and possibly force Medtronic to improve its data privacy practices.
Attorneys working with ClassAction.org want to hear from anyone who received a letter from Medtronic about the InPen data breach.
Specifically, Medtronic recently announced that users of its InPen diabetes management app may have had their personal and health information secretly disclosed to Google through tracking and analytics tools within the app. The company has stated that anyone who registered for or used an InPen account since September 2020 may have been affected.
The attorneys believe Medtronic may have failed to implement proper data security practices to protect patients’ sensitive information and are investigating whether a class action lawsuit can be filed.
Medtronic InPen Data Breach
Medtronic recently began notifying InPen app users of a “data privacy incident” that may have exposed their personal and health information without permission.
The company stated that on February 13, 2023, it determined that certain tracking and authentication tools used in the InPen app (specifically, Google Analytics, Crashlytics and Firebase Authentication) may have collected and disclosed to Google certain information about users and their InPen app activity, particularly when logged into their Google accounts while using the app.
After an investigation, Medtronic determined that the data shared with Google may have included users’ personal and health information.
What Information Was Exposed in the InPen Data Breach?
According to Medtronic’s data breach letter, the following patient information may have been shared with Google:
InPen usernames and passwords
Timestamp information related to certain actions taken in the InPen app
Unique identifiers tied to users’ InPen accounts
Unique identifiers tied to users’ mobile devices (such as advertising IDs)
How Could Tracking Software Expose Patients’ Medical Information?
Analytics and tracking technology such as the tools offered by Google have the capacity to collect all kinds of information about how consumers use websites and apps. Because the software can be programmed to track any actions consumers take – including the information they enter into a site or app, the buttons they click on, and the content they view – it’s possible that consumers’ sensitive information could be tracked and disclosed.
For example, non-profit news organization The Markup reported in June 2022 that 33 percent of the country’s top hospitals were sharing patients’ sensitive medical information with Facebook through the social media platform’s tracking pixel. Specifically, when a patient booked an appointment online, the pixel collected and shared with Facebook “an intimate receipt of the appointment request,” which may have included doctors’ names, search terms and medical conditions selected from a dropdown menu. Depending on the data shared, the pixel could potentially allow Facebook to identify particular patients and their medical information.
How Could a Lawsuit Help?
A class action lawsuit, if successful, could help compensate InPen app users for potential privacy violations. It could also force Medtronic to implement stronger data security practices to ensure that users’ information is protected in the future.