Healthcare , Industry Specific
Insulin App Maker Faces Privacy Lawsuit for Web Tracker Use
Proposed Class Action Filed in Breach Affecting Users of Medtronic MiniMed InPenMedical device maker Medtronic MiniMed violated patient privacy by using tracking and authentication technologies such as Google Analytics and Firebase in its InPen diabetes management app and services, according to a proposed federal class action lawsuit filed this week.
See Also: Securing Healthcare Against Ransomware Post-COVID-19
Attorneys filed the lawsuit Wednesday in a Los Angeles federal court against Medtronic MiniMed and MiniMed Distribution Corp. on behalf of a plaintiff identified as A.H. who has used MiniMed's InPen app and services since approximately July 2020.
The complaint alleges, among other claims, that California-based Medtronic MiniMed in its use of tracking and authentication technologies disclosed to Google and other third parties the sensitive personal and health information of InPen users' without their knowledge or consent, invading their privacy.
Medtronic MiniMed "intentionally chose to put its profits over its patients' privacy so it could access and monetize their valuable data for future marketing efforts" the lawsuit alleges. Medtronic also violated its own stated privacy policy, which promises that patients' private information would not be shared for marketing purposes unless it first received written authorization for that disclosure, the complaint claims.
The lawsuit seeks financial damages and extended credit monitoring to the plaintiff and class members, as well as injunctive relief requiring Medtronic MiniMed to strengthen its data security systems and monitoring procedures.
Breach Details
Central to the lawsuit is an unauthorized access/disclosure HIPAA breach MiniMed reported in April to the U.S. Department of Health and Human Services as affecting nearly 58,400 individuals.
The company in a breach notice said the incident had involved the company's use of tracking and authentication technologies, including Google Analytics, Firebase and Crashlytics, in its InPen diabetes management iOS and Android mobile applications (see: Medtronic Reports InPen Mobile Diabetic App Tracking Breach).
Medtronic in its April breach notice said it had implemented the technologies in September 2020 "to track technical issues, understand how users interact with the InPen App and ensure users were properly authenticated before accessing their accounts."
But Medtronic said it subsequently had determined on Feb. 13 that those tools disclose certain details about the user’s actions within the InPen app, "particularly for users that are logged into their Google accounts at the same time as the InPen App and have shared their identity or other online activity with Google."
Medtronic's investigation into the incident determined that InPen user information potentially disclosed includes email address, IP address, phone number, InPen App user name and password, time stamp information related to specific InPen App events, and certain unique identifiers tied to a person's InPen account or mobile device.
The company said it had removed Google Analytics from the latest version of the InPen app, and it was implementing a plan to transition from Crashlytics and Firebase Authentication "to new crash reporting and authentication platforms for the InPen App."
Medtronic's breach report to HHS' Office for Civil Rights came about four months after the federal agency had issued guidance in December warning that use of third-party tracking tools in health-related websites and apps could violate the HIPAA privacy rule (see: HHS: Web Trackers in Patient Portals Violate HIPAA).
Since then, the Federal Trade Commission has issued similar warnings about the use of tracking tools in health-related websites and applications potentially violating FTC regulations (see: Feds Warn Hospitals, Telehealth Firms About Web Tracker Use).
Medtronic in a statement to Information Security Media Group on Thursday said: "Medtronic has not been served and will review the complaint once we receive it. It’s important to note that protecting patient information is critically important to Medtronic. We have strong processes, technologies, and people in place to safeguard and protect our information and systems, the information of our business partners, and most importantly, the privacy and safety of the patients and healthcare providers that use our products.”*
Growing Scrutiny
In recent months, a growing tally of healthcare sector entities have reported health data breaches involving their previous use of tracking tools, such as Google Analytics and Meta Pixel, in websites, apps and patient portals.
But now some of these entities, such as Medtronic, also face proposed class action lawsuits alleging privacy violations and other claims, involving unlawful disclosure of individuals' sensitive health and personal information.
"OCR is one of the few organizations with a public breach reporting mechanism - i.e., the 'wall of shame' - so it's much easier for plaintiffs' firms to identify large breaches of health information and the companies responsible for those breaches as it is publicly available information," said attorney Cory Brennan of the law firm Taft about the surge in lawsuits being filed in these web-tracking cases. Brennan is not involved in the Medtronic case.
Advocate Aurora Health in October 2022 reported to HHS OCR a web tracker-related HIPAA breach affecting 3 million individuals (see: Health Entity Says Tracking Code Breach Affects 3 Million).
Recently, Advocate Aurora agreed to pay $12.25 million to settle consolidated class action claims that the Illinois-based hospital chain had invaded patient privacy by using tracking codes on its websites and patient portal (see: Advocate Aurora to Settle Web Tracker Claims for $12.25M).
Some makers of these tracking tools, including Meta, are also facing proposed class action lawsuits involving the use of their web tracking technologies in health-related websites and apps to collect and share sensitive health information with third parties (see: Federal Judge Inclined to Grant Claims in Meta Pixel Case).
"Now that relatively high dollar settlements are being reached in some of these cases, I suspect we will see more of these class action lawsuits filed," Brennan said. "It is important for organizations to assess - and, in some cases, reassess - the way they are using these tracking technologies within their web environment, so they aren't caught flat-footed if the next lawsuit knocks on their door."
But it is not just the threat of civil lawsuits that companies face involving the use of web trackers. Some firms have already been hit with fines and settlements from the Federal Trade Commission, and HHS OCR leaders have warned about imminent HIPAA enforcement actions for violations involving the use of web trackers.
"As we saw with the various FTC enforcement actions in 2023, BetterHelp and GoodRx are major companies that were allegedly unlawfully tracking data entered by consumers," said regulatory attorney Rachel Rose about recent FTC settlements in these cases.
"Given the statements and enforcement actions by HHS and the FTC, this is an area to watch. We'll likely see more cases on the horizon," she said.
*Update Aug. 31, 2023 UTC 21:34: Statement from Medtronic added.