Medtronic Reports InPen Mobile Diabetic App Tracking BreachAndroid Users Affected by Medtronic Using Google Analytics, Firebase, Other Tools
Diabetic patients who used a Medtronic smartphone app for managing insulin levels are being told that Google may have collected certain personal information through the sign-in infrastructure.
The disclosure comes amid a wave of healthcare providers reassessing their use of third-party tools such as online behavior tracking code supplied by big tech companies. Medtronic's admission is the first that appears to have come from a medical device maker, and the apparent first that ties data leakage of patient information to app logon functionality.
At least a half-dozen healthcare organizations and online counseling providers have acknowledged that third-party tools transmitted identifying data onward to companies including Google and Facebook. The Department of Health and Human Services in December warned that third-party tools could violate privacy law (see: HHS Web Trackers in Patient Portals Violate HIPAA).
Melanie Fontes Rainer, director of the Office of Civil Rights within HHS, told Information Security Media Group on Friday that the agency expects to take enforcement actions against tracking tool-related HIPAA violations. The first case will occur "hopefully soon," she said.
Medtronic said that using Google back-end services for user logon - they include an analytics function - unintentionally disclosed data including users' email addresses, phone numbers, user names and passwords and timestamp information related to specific InPen App events. Google calls the back-end service Firebase.
Medtronic is sending breach notification letters and posted a notice on its website. Affected patients those who registered for an InPen account or used the app on Android and iOS devices starting in September 2020, Medtronic said.
"We recently learned that these technologies disclose to Google certain details about the user's actions within the InPen App, particularly for users that are logged into their Google accounts at the same time as the InPen App and have shared their identity or other online activity with Google," Medtronic said.
The HHS OCR HIPAA Breach Reporting Tool website on Thursday showed that Medtronic reported the incident to the agency on April 14 as an unauthorized access/disclosure breach involving a network server affecting nearly 58,400 individuals.*
Medtronic declined ISMG's request for additional details about the incident, including whether the company is assessing its other medical device products and their associated apps for similar potential privacy incidents. The spokesperson did say the InPen App is shifting to another logon service.
Based on Medtronic's description of the incident, "it sounds like the primary issue in this case was that the Firebase Authentication tool was integrated with the Google Analytics for Firebase tool in a manner that allowed Google to collect the username and password of individual app users, as well as track the activities of those users within the InPen application," said attorney Cory Brennan of law firm Taft.
Because the InPen application's primary use is for diabetic patients to track dose calculations and historical dosage information, "the login credentials alone are likely enough to create the inference that such credentials are health information," Brennan added.
Also, username and password information could be easily identifiable to a unique individual and is an element of personal information under many state privacy laws, she said.
*Update April 27, 2023 17:44 UTC: Adds number of individuals affected by the Medtronic breach as reported to HHS OCR.