Medtronic MiniMed has joined the long list of healthcare entities to report unintentional disclosures to third parties without authorization due to the use of tracking or pixel technology.
The company’s recent notice to 91,325 InPen Diabetes Management users of its iOS and Android mobile applications shows both their personal and health data was disclosed to Google due to the use of Google Services’ tracking and authentication technologies, including Analytics, Crashlytics, and Firebase Authentication.
Medtronic used the Google services “to understand how users interact with the InPen App,” officials explained. The tools were designed to gather information to identify technical issues, assess the performance of the app and “understand user needs and preferences.”
The language mirrors the previous pixel-tracking disclosures of other health entities released within the last 10 months. Multiple reports have confirmed the use of pixel and tracking tools on most healthcare websites and applications, which have disclosed data to third parties.
As SC Media reported, the disclosures were likely unintended and due to a lack of understanding about the risk of disclosure posed by these tools. Congress, the Department of Health and Human Services, and other regulators and stakeholder groups are keenly focused on the use of these tools and possible privacy violations.
It appears Medtronic was wholly unaware of the possible disclosure, as the use of the tools on the app was “reviewed at a consolidated level, not at the individual level, and does not directly identify individual patient information.”
Medtronic first discovered the data sharing on Feb. 13, which was caused by the app’s tracking tools disclosing certain details about users’ actions within the app — especially if users were logged into their Google accounts while they were using the InPen app.
Upon discovery, Medtronic launched an investigation to understand the scope of the data sharing.
Medtronic uses Firebase Authentication to securely log on its users into the app. In addition to the use of Analytics and Crashlytics, certain user data was transmitted to Google. After users logged into their account, Firebase Authentication would then transmit some user data to Google in connection with their registration on the InPen App.
While the investigation confirmed that no Social Security numbers or any financial details were involved, users were notified their email and IP addresses, usernames and credentials, timestamp information tied to specific InPen App events, and “certain unique identifiers” connected to user accounts or mobile devices.
Namely, unique Medtronic Diabetes user identifiers, the unique string of numbers or characters assigned individual users, unique numbers tied to each InPen App download, and identifiers tied mobile devices, like mobile advertising IDs, identifiers for advertisers (IDFAs), Android Advertising IDs for Android devices (AAIDs), and Identifier for Vendors for iOS devices (IDFVs)).
As examined during this week’s House Oversight Committee hearing, this “inferring data” can help third parties draft users’ unique footprint and is typically used for advertising purposes. The exposure of digital identities is an ongoing consumer data privacy risk, which Congress is working to address.
Since discovering the third-party disclosure, Medtronic has removed Google Analytics from the latest version of its InPen App as it works on a plan to transition from Crashlytics and Firebase Authentication to new crash reporting and authentication platforms.
Medtronic is currently assessing how to reduce the risk of possible unintended disclosures of protected health information in the future.
“Our priority is to ensure users can continue to access diabetes management tools on their InPen App accounts in a secure manner,” officials said in a statement. “Based on our investigation, Google's … privacy policy and terms of use” restricts “access to the personal information it acquires” to workforce members, “all subject to strict contractual confidentiality obligations.”