Medtronic Alerts InPen App Users About Disclosures of Personal Data to Google

Posted by HIPAA Journal

The medical device manufacturer Medtronic – dba Medtronic MiniMed and MiniMed Distribution Corp (Medtronic Diabetes) – has recently confirmed that the personal information of users of its InPen Diabetes Management App on iOS and Android have had some of their personal information disclosed to Google due to the use of tracking and authentication code within the InPen App.

The app utilized Google Analytics for Firebase, Crashlytics for Firebase, and Firebase Authentication. These tools disclosed certain information about app users to Google, especially when users were logged into their Google accounts at the same time that they used the InPen App. As a result, their identities and information about online activities were shared with Google. The tools were used by Medtronic Diabetes to gather information about the use of the app, identify technical issues, assess app performance, and understand user needs to provide care to customers and improve services.

Medtronic Diabetes said the data collected by these tools is analyzed at a consolidated rather than individual level and does not directly identify individual patient information, but it was determined that certain information was transmitted to Google when users were logged into their Google accounts. Medtronic Diabetes said an internal investigation was launched into the use of these tracking technologies when the potential for unauthorized disclosure of user data was discovered to determine exactly what information was potentially shared with Google.

The decision was taken to notify all users who registered for or used an InPen account since September 2020, as they may have been affected. The data disclosed to Google was dependent on user interactions with the app, and other factors, such as the browser used, whether cookies had been cleared, and if they were logged into Google when using the app.

Medtronic Diabetes said that information disclosed may have included: email address, IP address, phone number, InPen App user name and password, timestamp information related to specific InPen App events, and certain unique identifiers tied to the InPen account or mobile device. The latter includes a unique Medtronic Diabetes user identifier, unique numbers attributed to each instance the InPen App is downloaded to a particular device, and identifiers tied to a mobile device such as a MAID, IDFA, AAID, and/or IDFV.

Medtronic Diabetes said Google Analytics has been removed from the latest version of the InPen app, and plans have been made to transition from Crashlytics and Firebase Authentication to other crash reporting and authentication systems.

La Clínica de La Raza Reports Email Breach

La Clínica de La Raza in Oakland, CA, has reported a breach of the protected health information of 15,316 individuals. Suspicious activity was detected within certain employee email accounts on February 8, 2023, and steps were immediately taken to secure the accounts. Assisted by a third-party computer forensics firm, La Clínica was able to confirm that a limited number of employee email accounts had been accessed by unauthorized individuals at various times between January 24, 2023, and February 8, 2023.

A review of all affected email accounts and La Clínica confirmed on April 4, 2023, that they contained patient information such as names, addresses, dates of birth, financial account or payment card information, online credentials, Social Security numbers, medical treatment information, and/or health insurance information.

Affected individuals are being notified by mail and complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

The John Muir Health Says Walnut Creek Medical Center Patient Data Has Been Exposed

John Muir Health is notifying certain Walnut Creek Medical Center patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals. The Californian healthcare provider was notified about the exposure on March 22, 2023. A member of staff at the medical center created a website in order to communicate with other staff members more efficiently about the use of medical devices and centralize information such as vendor sites, order forms, and equipment information. The website included a link to an Excel spreadsheet that contained patient information. The information in the spreadsheet was intended to be accessed internally by authorized individuals; however, it could also be accessed by individuals outside of John Muir Health. The spreadsheet contained information such as names, facility, room, diagnosis, condition, and dates.

John Muir Health said the link to the Excel file was disabled on March 23, 2023, and the website was decommissioned on March 24, 2023. The investigation confirmed that the spreadsheet had not been accessed by any unauthorized third party between September 28, 2022, and March 23, 2023, but due to limited audit records, it was not possible to determine if there had been unauthorized access between July 1, 2021, and September 27, 2022

Affected individuals have been notified by mail. The incident has been reported to the California Attorney General but is not yet appearing on the HHS’; Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Medtronic Alerts InPen App Users About Disclosures of Personal Data to Google appeared first on HIPAA Journal.

Medtronic Alerts InPen App Users About Disclosures of Personal Data to Google

Posted by HIPAA Journal

The medical device manufacturer Medtronic – dba Medtronic MiniMed and MiniMed Distribution Corp (Medtronic Diabetes) – has recently confirmed that the personal information of users of its InPen Diabetes Management App on iOS and Android have had some of their personal information disclosed to Google due to the use of tracking and authentication code within the InPen App.

The app utilized Google Analytics for Firebase, Crashlytics for Firebase, and Firebase Authentication. These tools disclosed certain information about app users to Google, especially when users were logged into their Google accounts at the same time that they used the InPen App. As a result, their identities and information about online activities were shared with Google. The tools were used by Medtronic Diabetes to gather information about the use of the app, identify technical issues, assess app performance, and understand user needs to provide care to customers and improve services.

Medtronic Diabetes said the data collected by these tools is analyzed at a consolidated rather than individual level and does not directly identify individual patient information, but it was determined that certain information was transmitted to Google when users were logged into their Google accounts. Medtronic Diabetes said an internal investigation was launched into the use of these tracking technologies when the potential for unauthorized disclosure of user data was discovered to determine exactly what information was potentially shared with Google.

The decision was taken to notify all users who registered for or used an InPen account since September 2020, as they may have been affected. The data disclosed to Google was dependent on user interactions with the app, and other factors, such as the browser used, whether cookies had been cleared, and if they were logged into Google when using the app.

Medtronic Diabetes said that information disclosed may have included: email address, IP address, phone number, InPen App user name and password, timestamp information related to specific InPen App events, and certain unique identifiers tied to the InPen account or mobile device. The latter includes a unique Medtronic Diabetes user identifier, unique numbers attributed to each instance the InPen App is downloaded to a particular device, and identifiers tied to a mobile device such as a MAID, IDFA, AAID, and/or IDFV.

Medtronic Diabetes said Google Analytics has been removed from the latest version of the InPen app, and plans have been made to transition from Crashlytics and Firebase Authentication to other crash reporting and authentication systems.

La Clínica de La Raza Reports Email Breach

La Clínica de La Raza in Oakland, CA, has reported a breach of the protected health information of 15,316 individuals. Suspicious activity was detected within certain employee email accounts on February 8, 2023, and steps were immediately taken to secure the accounts. Assisted by a third-party computer forensics firm, La Clínica was able to confirm that a limited number of employee email accounts had been accessed by unauthorized individuals at various times between January 24, 2023, and February 8, 2023.

A review of all affected email accounts and La Clínica confirmed on April 4, 2023, that they contained patient information such as names, addresses, dates of birth, financial account or payment card information, online credentials, Social Security numbers, medical treatment information, and/or health insurance information.

Affected individuals are being notified by mail and complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

The John Muir Health Says Walnut Creek Medical Center Patient Data Has Been Exposed

John Muir Health is notifying certain Walnut Creek Medical Center patients that some of their protected health information has been exposed and potentially accessed by unauthorized individuals. The Californian healthcare provider was notified about the exposure on March 22, 2023. A member of staff at the medical center created a website in order to communicate with other staff members more efficiently about the use of medical devices and centralize information such as vendor sites, order forms, and equipment information. The website included a link to an Excel spreadsheet that contained patient information. The information in the spreadsheet was intended to be accessed internally by authorized individuals; however, it could also be accessed by individuals outside of John Muir Health. The spreadsheet contained information such as names, facility, room, diagnosis, condition, and dates.

John Muir Health said the link to the Excel file was disabled on March 23, 2023, and the website was decommissioned on March 24, 2023. The investigation confirmed that the spreadsheet had not been accessed by any unauthorized third party between September 28, 2022, and March 23, 2023, but due to limited audit records, it was not possible to determine if there had been unauthorized access between July 1, 2021, and September 27, 2022

Affected individuals have been notified by mail. The incident has been reported to the California Attorney General but is not yet appearing on the HHS’; Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Medtronic Alerts InPen App Users About Disclosures of Personal Data to Google appeared first on HIPAA Journal.

Mount Nittany Health Sued Over Alleged Website Tracking Code PHI Disclosures

Posted by HIPAA Journal

Mount Nittany Health, a community healthcare provider and operator of the 260-baed Mount Nittany Medical Center in State College, Pennsylvania, is being sued over the alleged use of tracking code on its website and the impermissible disclosure of sensitive patient data to third parties such as Google and Facebook.

A recently published study indicates 99% of U.S. hospitals have used tracking code on their websites that collects the data of users as they navigate the website. The code is typically used to analyze website usage with a view to improving websites and services. The data collected is transmitted to the providers of that code and can be made available to third parties such as advertisers and is often used for serving targeted adverts and for other marketing purposes. Several health systems and hospitals have reported breaches of patient information due to the use of the code over the past few months, including Community Health Network, WakeMed Health and Hospitals, Advocate Aurora Health, and Novant Health, and lawsuits have been filed across the country in response to these disclosures, which are generally not permitted under the Health Insurance Portability and Accountability Act (HIPAA).

The Mount Nittany Health lawsuit was filed in Centre County Court in Pennsylvania on behalf of two unnamed plaintiffs, John and Jane Doe, by attorney George Bochetto of the law firm Bochetto & Lentz. The lawsuit claims the sensitive information of website visitors was collected via code such as Meta Pixel and was transferred to Meta and other third parties without the knowledge or consent of website users.

The code transferred personally identifiable information and information gathered from actions taken on the websites, from which it can be inferred that an individual was a patient of the medical center or was being treated for a specific medical condition. That information is used to sell advertising, and the website owners that install the code are provided with information about ads they have placed on social media networks such as Facebook and Instagram and are able to target individuals who visited their website with advertising.

The lawsuit alleges Mount Nittany Health is continuing to use tracking code on its website and has not notified individuals about the impermissible disclosures. At present, there is no notice on Mount Nittany Health’s website about a tracking code-related data breach and no data breach is listed on the HHS’ Office for Civil Rights breach portal. The lawsuit alleges invasion of privacy, breach of duty of confidentiality, unjust enrichment, and violations of the Wiretapping and Electronic Surveillance Control Act and seeks $1 million in damages.

The post Mount Nittany Health Sued Over Alleged Website Tracking Code PHI Disclosures appeared first on HIPAA Journal.