In a significant turn of events that has reverberated across the healthcare sector, Medtronic, a well-established manufacturer of medical devices, is currently entangled in a legal dispute.
Medtronic now faces a class action lawsuit filed by users of its InPen® system in the Central District of California. The dispute centers around accusations of sharing a “treasure trove” of diabetes patient data with tech giant Google, a move that has generated considerable controversy. This alleged breach of patient confidentiality has raised concerns within the medical industry, with GlobalData suggesting that it may trigger increased scrutiny in the healthcare field.
“MiniMed’s disclosure of PII and PHI [personally identifiable information and protected health information] to Google is particularly problematic because Google provides web services — such as YouTube and Gmail — that give it access to InPen users’ real identities and device identifiers,” the attorneys wrote.
COVID-19 initiated a notable shift in the healthcare industry, which increasingly relies on emerging technologies and intensifies its data collection endeavors. While the integration of these novel technologies undoubtedly provides significant advantages to the healthcare sector — including improving patient care, optimizing operational procedures and alleviating hospital congestion — it has also given rise to a gradual increase in cybersecurity vulnerabilities within the field.
“The potential consequences for the medical device market are significant,” Kamilla Kan, medical analyst at GlobalData, commented. Collaborations with tech giants can yield life-saving innovations and improved patient outcomes, but they can also raise concerns about data security and patient privacy. “The implications will affect patient privacy and jeopardize the public’s opinion on integrating new technologies into the healthcare industry," Kan continued.
Medtronic has previously been subject to government scrutiny concerning the security of its devices.
This year, the US Cybersecurity and Infrastructure Security Agency (CISA) reported that Medtronic disclosed a cybersecurity breach related to a vulnerability in its Paceart Optima System, a system responsible for compiling and managing data from patients' cardiac devices.
In 2019, Medtronic recalled its MiniMed insulin pumps following a warning from the Food and Drug Administration (FDA) that identified a flaw in the devices. This flaw could potentially allow unauthorized individuals to wirelessly connect to the pumps and modify their settings, potentially leading to excessive or insufficient insulin delivery. Additionally, in 2019, CISA issued an alert highlighting critical vulnerabilities in various Medtronic medical devices, including defibrillators. These vulnerabilities were vulnerable to exploitation by attackers seeking to tamper with the devices.
Kan added that, in the wake of this controversy, “the medical device industry may face heightened scrutiny and regulatory changes.” Medical device companies will need to establish clear data-sharing guidelines and implement rigorous consent procedures to maintain patient trust and avoid legal complications.