URGENT FIELD SAFETY NOTIFICATION


MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps - Cybersecurity concerns


CareLink Personal v14.1b (MMT-7333) using CareLink uploader (ACC-7350)
CareLink system v3.1b (MMT-7350) using CareLink uploader (ACC-7350)

Download MiniMed 508 Insulin Pump and MiniMed Paradigm Series Insulin Pumps Cybersecurity Concerns – Notification letter Download

You are receiving this letter because our records indicate you may be using a MiniMed 508 insulin pump or a MiniMed Paradigm series insulin pump. Because your safety is our top priority, we are making you aware of a potential cybersecurity risk.

Potential cybersecurity risk:
The MiniMed 508 insulin pump and the MiniMed Paradigm series insulin pumps are designed to communicate using a wireless radio frequency (RF) with other devices such as a blood glucose meters, glucose sensor transmitters, and CareLink USB devices.

Security researchers have identified potential cybersecurity vulnerabilities related to these insulin pumps. An unauthorized person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery. This could lead to hypoglycemia (if additional insulin is delivered) or hyperglycemia and diabetic ketoacidosis (if not enough insulin is delivered).

IMPORTANT NOTE: At this time, we have received no confirmed reports of unauthorized persons changing settings or controlling insulin delivery.

ACTION REQUIRED:

For US Patients:
Due to this potential cybersecurity issue, we recommend that you speak with your healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection, such as the MiniMed 670G insulin pump.

If you and your healthcare provider decide that updating to a newer insulin pump model is the right decision for you, please call Medtronic at 1-866-222-2584 or go to (https://info.medtronicdiabetes.com/legacyexchange) to explore your options and to begin the replacement process.

In the meantime, we recommend you take the cybersecurity precautions included below.

For Patients outside the US:
You will receive a notification letter with instructions based on the country you live in. We recommend that you speak with your healthcare provider to discuss the cybersecurity issue and the steps you can take to protect yourself. In the meantime, we recommend you take the cybersecurity precautions included below.

If you live in a country that does not have a newer model Medtronic insulin pump available to you, you should take the cybersecurity precautions included below to minimize the potential for a cybersecurity attack and to continue to take advantage of the benefits of insulin pump therapy.

CYBERSECURITY PRECAUTIONS RECOMMENDED FOR ALL PATIENTS

  • Keep your insulin pump and the devices that are connected to your pump within your control at all times
  • Do not share your pump serial number
  • Be attentive to pump notifications, alarms, and alerts
  • Immediately cancel any unintended boluses
  • Monitor your blood glucose levels closely and act as appropriate
  • Do not connect to any third-party devices or use any software not authorized by Medtronic
  • Disconnect your CareLink USB device from your computer when it is not being used to download data from your pump
  • Get medical help right away if you experience symptoms of severe hypoglycemia or diabetic ketoacidosis, or suspect that your insulin pump settings, or insulin delivery changed unexpectedly

The following pump models ARE vulnerable to this potential issue:

To find the software version for the MiniMed Paradigm pumps, go to the STATUS screen:

  • To open the STATUS screen, press STATUS until the STATUS screen appears.
  • To view more text on the STATUS screen, press the up or down arrow to scroll and view all the information.
  • To exit the STATUS screen, press STATUS until the STATUS screen disappears.

These pump models are NOT vulnerable to this issue:


You may also read the FDA’s Safety Communication (https://www.fda.gov/medical-devices/safety-communications/2019-safety-communications) about this potential cybersecurity risk.

We apologize for any inconvenience this may cause. Your safety and satisfaction are our top priorities. We appreciate your time and attention in reading this important notification.

As always, we are here to support you. If you have further questions or need assistance, please call our 24-Hour Technical Support at: 1-800-646-4633.


Sincerely

James Dabbs
Vice President, Quality Assurance
Medtronic Diabetes

Frequently asked questions


Medtronic takes customer safety and device security very seriously. Due to this potential cybersecurity issue, Medtronic is recommending customers speak with their healthcare provider (HCP) about changing to a newer model insulin pump. To help with this, we have created the Legacy Exchange Program, which gives our customers the opportunity to exchange or upgrade their legacy device to a newer model insulin pump with increased cybersecurity protection, like the MiniMed 670G insulin pump.
No, the MiniMed 530G insulin pump is not impacted by this cybersecurity issue.

Due to this potential cybersecurity issue, Medtronic is recommending customers speak with their healthcare provider (HCP) about changing to a newer model insulin pump with increased cybersecurity protection, like the MiniMed 670G insulin pump.

To help with this, we are offering a program for eligible people to upgrade to a newer insulin pump model or obtain a lower cost product exchange. In the meantime, we recommend you take the cybersecurity precautions to minimize the potential risks.

The MiniMed 508 insulin pump and the MiniMed Paradigm series insulin pumps are designed to communicate using a wireless radio frequency (RF) with other devices such as a blood glucose meter, glucose sensor transmitters, and CareLink USB devices.

Security researchers have identified potential cybersecurity vulnerabilities related to the communication protocol in these insulin pumps. An unauthorized person with special technical skills and equipment could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery. This could lead to hypoglycemia (if additional insulin is delivered) or hyperglycemia and diabetic ketoacidosis (if not enough insulin is delivered).

  • To find the software version for the MiniMed Paradigm pumps, go to the STATUS screen:

    To open the STATUS screen, press ESC until the STATUS screen appears.
    To view more text on the STATUS screen, press the up or down arrow to scroll and view all the information.
    To exit the STATUS screen, press ESC until the STATUS screen disappears.
We have notified the appropriate regulatory authorities, published an advisory about this potential security concern, and informed healthcare professionals and patients about precautionary steps that can be taken to protect the security of their pump.
As part of our commitment to customer safety and device security, Medtronic works closely with industry regulators and researchers to anticipate and respond to potential risks. In addition to our ongoing work with the security community, we have already made several important changes to enhance device security with our newer devices available in some countries today. We will continue to take steps to collaborate with industry researchers and regulators to improve device safety.
Medtronic takes customer safety and device security very seriously. We have already introduced a new generation of insulin pumps that is not affected by this issue.
Of course, every person with diabetes should make these personal decisions along with their healthcare team, but there haven’t been any confirmed reports of this security risk. Your safety is our priority and we hope that you’re able to continue to experience the benefits of insulin pump therapy. If you are concerned, you can take note of the tips that we’ve shared.

No. This vulnerability does not impact the MiniMed 600 series insulin pumps because they use encrypted communication which is completely different from the communication used by the Paradigm pump models.

The MiniMed 600 series insulin pumps include the MiniMed 630G and MiniMed 670G systems in the US and the MiniMed 620G and 640G systems outside of the US.

If you feel concerned:

  • Keep your insulin pump and the devices that are connected to your pump within your control at all times.
  • Do not share your pump serial number.
  • Be attentive to pump notifications, alarms, and alerts.
  • Immediately cancel any unintended boluses.
  • Monitor your blood glucose levels closely and act as appropriate.
  • Do not connect to any third-party devices or use any software not authorized by Medtronic.
  • Disconnect your CareLink USB device from your computer when it is not being used to download data from your pump.
  • Get medical help right away if you experience symptoms of severe hypoglycemia or diabetic ketoacidosis, or suspect that your insulin pump settings, or insulin delivery changed unexpectedly.
Every person with diabetes should make decisions about their insulin pump therapy along with their healthcare team. We recommend you talk about this with your healthcare team.