Medtronic MiniMed, a healthcare company, has notified 91,325 InPen Diabetes Management app users of an unintentional disclosure of their personal and health data to Google. The disclosure occurred due to the use of Google Services’ tracking and authentication technologies, including Analytics, Crashlytics, and Firebase Authentication.
Medtronic claimed the tools were used to understand how users interacted with the app and identify technical issues. However, the use of pixel and tracking tools has resulted in numerous data disclosures to third parties from healthcare websites and applications.
These disclosures are unintended and reflect a lack of understanding of the risks posed by the tools.
Medtronic was apparently unaware of the disclosure, and the tools used on the app were reviewed only at a consolidated level and did not identify individual patient information. An investigation was launched when the data sharing was discovered on Feb. 13, which confirmed that no Social Security numbers or financial details were involved.
Users were notified of the disclosure of their email and IP addresses, usernames and credentials, timestamp information tied to specific InPen App events, and certain unique identifiers connected to user accounts or mobile devices.
The unique identifiers disclosed included Medtronic Diabetes user identifiers, unique numbers tied to each InPen App download, and identifiers tied to mobile devices, such as mobile advertising IDs and Identifiers for Vendors for iOS devices. This inferring data helps third parties to draft users’ unique footprint and is typically used for advertising purposes.
Medtronic has removed Google Analytics from the latest version of its InPen App and is transitioning from Crashlytics and Firebase Authentication to new crash reporting and authentication platforms.
The company is assessing how to reduce the risk of unintended disclosures of protected health information in the future.
The disclosure has increased congressional and regulatory scrutiny of the use of pixel and tracking tools in the healthcare industry. These tools pose a significant consumer data privacy risk, and Congress is working to address this issue.
Medtronic officials have stated that Google’s privacy policy and terms of use restrict access to the personal information it acquires to workforce members, all of whom are subject to strict contractual confidentiality obligations.
The company’s priority is to ensure that users can continue to access diabetes management tools on their InPen App accounts securely.
