Medtronic Confirms Cyber Attack, Loss Of Patient Data

Medtronic recently disclosed that hackers in 2013 tapped into its computer systems that stored patient records, and that it had lost some data of diabetes patients in a separate incident.

Referring to the cyber attack, Medtronic said that “the intrusion did not breach any of the databases where we store patient data,” according to a regulatory filing with the U.S. Securities and Exchange Commission (SEC). The company said it believed that hackers from Asia carried out the attempt and that it also affected two other large, unnamed medical device manufacturers.

Earlier this year, the San Francisco Chronicle reported that hackers from China were behind the Medtronic cyber attack, and that Boston Scientific and St. Jude Medical were the two other companies that were targeted.

Medtronic said that several state attorneys general had inquired about these intrusions after they were reported, and that it “provided them information about our analysis and conclusions that patient data was not affected,” the filing said.

The company also confirmed in its 10-K filing that it had lost some patient records of its diabetes business unit in a separate incident. “While we found no evidence of a breach or inadvertent disclosure of the patient records, we were unable to locate them for retrieval,” the company wrote.

Medtronic had notified patients in 2013 regarding the loss of the data, it said in the filing. According to an article in the Minneapolis/St. Paul Business Journal, Medtronic had “sent letters to about 2,700 people whose patient records were inside a box that went missing.”

After the notification, Medtronic said that it provided the U.S. Department of Health and Human Services (HHS) relevant “information on the issue and our information security practices” as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).

In the same “patient privacy” section of the filing where it disclosed the cybersecurity breaches, Medtronic said that it is “committed to maintaining the security and privacy of patients’ health information and believe that we meet the expectations of the HIPAA rules.”

“The security posture of most device manufacturers is in critical condition,” Tom Kellermann, chief security officer with computer systems security firm Trend Micro, told Reuters. He added that medical device companies encrypt health records as mandated by federal regulations, but “fail to properly monitor and secure internal networks to identify and stop hackers who get past traditional firewalls and anti-virus software.”