InPen Data Breach: Medtronic Shares Patients’ Health Info with Third Parties Via iOS, Android Apps, Lawsuit Alleges

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action alleges the maker of the Bluetooth-enabled InPen reusable insulin pen has illegally shared with Google and other third parties the personally identifiable information of users nationwide. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 65-page lawsuit against Medtronic MiniMed and MiniMed Distribution says Medtronic encourages InPen users to sign up for the InPen Diabetes Management app for iOS and Android, promoting the device and digital platform as an integrated system that “combines insulin pumps and continuous glucose monitoring” for those with type 1 and type 2 diabetes. 

Despite the sensitive nature of InPen users’ health information, Medtronic has nevertheless utilized third-party tracking technology, including Google Analytics, Crashlytics, Firebase Authentication and similar tools, on its iOS and Android apps to acquire data on consumers’ medical conditions and communications, the complaint alleges. Per the suit, the defendants can use this data for marketing and analytics and, ultimately, to increase profits. 

“Although the full scope of MiniMed’s data monetization and sharing practices is presently unknown, the information it illegally sent to third parties can be associated with other data to create highly detailed user profiles for marketing and other commercial purposes—none of which benefit InPen Users,” the lawsuit relays. 

The InPen is touted as a “smart” insulin delivery system that utilizes Bluetooth technology and an “intuitive” mobile app to help users take the right amount of insulin at the right time, the case states. Moreover, the InPen system provides a platform for patients to share information and communicate with their healthcare providers, the suit says. 

In particular, the InPen app automatically records the size and timing of insulin doses, provides reminders and alerts when insulin is not taken, and can be personalized to the patient’s needs, the filing relays. 

The lawsuit stresses that Medtronic and MiniMed have represented to patients that their protected health information will only be used with their written authorization in limited circumstances, “none of which apply here” or include the tracking technologies allegedly in use by the iOS and Android apps. 

According to the suit, MiniMed’s disclosure of patients’ data to Google is “particularly problematic” in that Google has access to many InPen users’ real identities and device identifiers through YouTube and Gmail. 

“Plaintiff used his mobile device to access the App, and he also uses it to access his Gmail account. As a result, his [personally identifiable information] and [protected health information] was [sic] automatically linked to his real identity. Even if Plaintiff did not possess a Gmail account, Google would have nonetheless received information that allows it to individually identify him.” 

Even non-Google users can be individually identified via the information collected on the InPen apps, namely because MiniMed transmits to Google patients’ email addresses, IP addresses, and related identifiers, the case claims. 

Although healthcare companies were warned as early as February 2020 that they might be disclosing sensitive patient data to digital marketing firms through their use of tracking technologies, MiniMed made no acknowledgment of its collection of InPen users’ data until April of this year, the case states. 

“In short, MiniMed intentionally chose to put its profits over its Patients’ privacy so it could access and monetize their valuable data for future marketing efforts,” the lawsuit summarizes, stressing that healthcare entities subject to the Health Insurance Portability and Accountability Act (HIPAA) are not permitted to use tracking technologies in a way that exposes patients’ private data to third parties without express and informed consent. 

The lawsuit looks to cover all MiniMed patients who used the company’s digital apps and InPen while residing in the United States. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.