Just a few months after Medtronic resolved a late 2021 FDA warning letter describing quality control issues at the headquarters of its diabetes division, that segment of its business is in the hot seat once again—this time, as the subject of a class-action lawsuit.
In a complaint filed in California district court at the end of August, a lead plaintiff identified only as A.H. alleged that Medtronic illegally distributed its customers’ personally identifiable information and protected health information (PII and PHI, respectively) to Google and other third parties.
According to the lawsuit, the affected data include those collected by the apps connected to Medtronic’s MiniMed insulin pumps and InPen “smart” insulin pens.
In a statement sent to Fierce Medtech, the company said, “Medtronic has not been served and will review the complaint once we receive it. It’s important to note that protecting patient information is critically important to Medtronic. We have strong processes, technologies and people in place to safeguard and protect our information and systems, the information of our business partners and most importantly, the privacy and safety of the patients and healthcare providers that use our products.”
A.H.’s legal team wrote in the complaint that Medtronic, through its MiniMed subsidiary, conducted the alleged unlawful data sharing to help third-party advertisers “create highly detailed user profiles for marketing and other commercial purposes.”
The lawsuit claimed that this type of data sharing has no benefit for the users themselves and that it could also expose sensitive information the users may not otherwise share with parties like Google.
“MiniMed’s disclosures of PII and PHI to Google is particularly problematic because Google provides web services—such as YouTube and Gmail—that give it access to InPen users’ real identity and device identifiers,” the attorneys wrote. “Plaintiff used his mobile device to access the app, and he also uses it to access his Gmail account. As a result, his PII and PHI was automatically linked to his real identity. Even if plaintiff did not possess a Gmail account, Google would have nonetheless received information that allows it to individually identify him.”
According to the privacy policy for Medtronic’s diabetes division, the company “will obtain your authorization or consent before using your PHI or disclosing it to persons or organizations outside of Medtronic” in certain situations that include “marketing or promotional purposes.”
A.H.’s team claimed that despite making that promise to patients, Medtronic has instead shared patients’ sensitive information with Google and other third parties “for marketing and analytics purposes and, ultimately, to increase revenue and profits.”
The lawsuit pointed to a notice that Medtronic Diabetes shared with customers in April of this year explaining how several Google tracking and authentication technologies used in the InPen app—which the company said were initially installed to better understand how users interact with the app and to verify logins—had been found to be transmitting “certain user information” to Google.
Medtronic said at the time that it was conducting an internal investigation to determine exactly what information had been shared via the Google services, suggesting that email addresses, phone numbers, IP addresses and login and timestamp data related to use of the InPen app may have all been affected. The company sent the notice to all InPen app users dating back to September 2020, “out of an abundance of caution,” and noted that the issue may have particularly affected those who were logged into their Google accounts and the InPen app at the same time.
That data sharing “violates [Medtronic’s] own privacy policy,” per the lawsuit, as well as federal HIPAA regulations, which require users’ “express and informed consent” before their private information is exposed to any third party through the use of tracking tools like those used by Medtronic. The company also erred, A.H.’s team alleged, by failing to “adequately review its marketing programs and web-based technology to ensure its digital platforms were safe and secure” and remove any tools that were found to violate that safety.
“In short, MiniMed intentionally chose to put its profits over its patients’ privacy so it could access and monetize their valuable data for future marketing efforts,” the lawyers wrote.
Editor's note: This story was updated to include a statement from Medtronic.