June 23, 2014
Medtronic Reveals They Were Targeted By Hackers, Lost Patient Records
redOrbit Staff & Wire Reports - Your Universe Online
The largest stand-alone medical device manufacturer in the world has revealed that hackers had successfully infiltrated its computers, and that it had lost some patient records in separate incidents last year.
In regulatory documents filed with the US Securities and Exchange Commission (SEC) on Friday, Minneapolis-based Medtronic confirmed that it and two other large medical technology companies had been victimized by cyberattacks originating from Asia, according to Reuters reporter Jim Finkle.
The hackers were unable to gain access to databases which stored patient information, the company said. However, Medtronic went on to confess that it had lost an undisclosed number of records from its diabetes business unit, which markets products such as insulin pumps. The exact nature of the information contained in those files is unknown.
“While we found no evidence of a breach or inadvertent disclosure of the patient records, we were unable to locate them for retrieval,” the company’s 10-K filing said, according to Finkle. Medtronic noted that the US Department of Health and Human Services had questioned company representatives about the loss of the records, and that the agency was provided with information on the problem and the firm’s overall data security measures.
The names of the other cyberattack victims were not disclosed, but according to Jim Spencer and Steve Alexander of the Minneapolis Star-Tribune, previously published reports citing an unidentified source said that Medtronics, Boston Scientific and St. Jude Medical had all been hacked during the first half of 2013. Boston Scientific declined a request to comment on the specifics of the incident, citing security reasons, while St. Jude Medical did not respond to a phone call from the reporters.
No other details about the scale of the attacks were disclosed in the filing, Spencer and Alexander noted. However, Medtronics did report in the filing that they had been contacted by some state attorneys general about whether or not patients needed to be notified about the missing patient records. The company said that it found no evidence of a breach, and that based on its review of the situation, it believed that the patient data had not been compromised.
“When and how to tell people that their personal information may have been compromised has long been a source of debate among corporations, consumers and regulators,” the StarTribune reporters explained. “The matter gained more public interest late last year, when hackers gained access to Target Corporation’s systems and retrieved card data and personal information of tens of millions of customers.”
The Target incident took place in the midst of the 2013 holiday season, one of the busiest and most lucrative times of the year for the retailer, and involved hackers gaining unauthorized access to payment card data. The breach reportedly only affected customers who shopped at one of the company’s 1,797 US stores between November 27 and December 15, and Target advised customers to monitor their accounts for suspicious or unusual activity.
“Target was criticized by some consumer advocates for not moving swiftly enough to inform the public that consumer information was stolen,” Spencer and Alexander said. That criticism likely played a role in Medtronic’s efforts to contact various government officials and agencies to make sure that they are in compliance with patient privacy regulations, Secure Digital Solutions CEO Chad Boeckmann told the reporters.
PROTECT YOURSELF TODAY - Norton Antivirus