InPen™ breach notification FAQs
I received an email from Medtronic Diabetes about a privacy incident involving the InPen App or read about the incident on Medtronic Diabetes’ website. What happened?
Like many others in the healthcare industry, Medtronic Diabetes has used authentication and tracking technologies, including Firebase Authentication, Google Analytics for Firebase (“Google Analytics”) and Crashlytics for Firebase (“Crashlytics”) (collectively referred to herein as “Google Services”) on its InPen™ Diabetes Management iOS and Android mobile applications (the “InPen App”). Authentication technologies ensure a secure authentication system for users, and tracking technologies track user activities on websites or applications. Medtronic Diabetes had implemented these authentication and tracking technologies to ensure users were properly authenticated before accessing their accounts, track technical issues, and understand how users interact with the InPen App.
We recently learned that these technologies disclose to Google certain details about the user’s actions within the InPen App, particularly for users that are logged into their Google accounts at the same time as the InPen App and have shared their identity or other online activity with Google. Medtronic Diabetes is diligently working on disabling or removing Google Analytics and implementing a plan to transition from Crashlytics and Firebase Authentication to new crash reporting and authentication platforms for the InPen App.
Was my information shared?
Out of an abundance of caution, Medtronic Diabetes is contacting all users who have registered for, or used, an InPen™ account since September 2020, as they may have been affected – which means, their information may have been shared with Google. Users may have been impacted differently based on their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Google accounts; whether they were logged into Google; and the specific actions taken on the platform by the user.
Who was my information shared with?
We have no reason to believe your information was shared with any other parties other than Google. Based on our investigation, Google commits in its Privacy Policy and Terms of Use to restricting access to the personal information it acquires to its employees, contractors and agents, who are all subject to strict contractual confidentiality obligations.
What information of mine was shared?
Based on our investigation, no social security number, financial account, credit card, or debit card information was involved in this incident.
The following information may have been involved: your email address, IP address, phone number, InPen App user name and password, timestamp information related to specific InPen App events, and certain unique identifiers tied to your InPen account or mobile device (specifically, your unique Medtronic Diabetes user identifier (a unique string of numbers or characters assigned to each user of the InPen App by Medtronic Diabetes), unique numbers attributed to each instance the InPen App is downloaded to a particular device, and identifiers tied to your mobile device (such as mobile advertising IDs (MAIDs), Identifiers for Advertisers (IDFAs), Android Advertising IDs for Android devices (AAIDs), and Identifier for Vendors for iOS devices (IDFVs)).
What should I do if I am impacted?
Medtronic Diabetes is not aware of any misuse of information arising from this incident. These authentication and tracking technologies would be unlikely to result in identity theft or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident. Based on our investigation, Google commits in its Privacy Policy and Terms of Use to restricting access to the personal information it acquires to its employees, contractors and agents, who are all subject to strict contractual confidentiality obligations.
Please refer to the compiled consumer identity protection resources to further educate yourself regarding identity theft and the steps you can take to protect yourself.
How do I update my InPen App to the latest version?
You can update the InPen App to the latest version by following the instructions below:
How to manually update apps on your iPhone or iPad:
- Open the App Store.
- Tap your profile icon at the top of the screen.
- Scroll to see pending updates and release notes. Tap Update next to an app to update only that app, or tap Update All.
How to manually update apps on your Android device:
- Open the Google Play Store app.
- At the top right, tap the profile icon.
- Tap Manage apps & device. Apps with an update available are labeled "Update available."
- Tap Update.
How can I manage my online tracking preferences?
If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to automatically decline cookies or be given the choice of declining or accepting the transfer to your computer of a cookie (or cookies) from a particular site. Some newer web browsers incorporate “Do Not Track” features.
You can limit the use of your information for interest-based advertising by using browser plug-ins/extensions and/or using your mobile device settings to limit the use of the advertising ID associated with your mobile device.
You may be also able to opt out of interest-based ads from companies participating in industry opt-out programs by visiting the following linked websites: the Network Advertising Initiative: Manage My Browser’s Opt Outs and the Digital Advertising Alliance: WebChoices Browser Check. The opt-out preferences described above must be set on each device and/or browser for which you want them to apply. If you opt-out of interest-based advertisements, you will still see advertisements online, but they may be less relevant to you.
What are you doing about this so it does not happen again?
Medtronic Diabetes has removed Google Analytics from the latest version of the InPen App, and is implementing a plan to transition from Crashlytics and Firebase Authentication to new crash reporting and authentication platforms for the InPen App. In addition, we are proactively assessing how to further mitigate the risk of unauthorized disclosures of user protected health information in the future, we will continue to monitor our information security and technology solutions, and we will make improvements and enhancements where appropriate. Our priority is to ensure users can continue to access diabetes management tools on their InPen App accounts in a secure manner.
How many people were impacted?
Medtronic Diabetes is providing notice about this incident to all of users who have registered for, or used, an InPen App account since September 2020, as they may have been affected.
What’s next?
Medtronic Diabetes’ legal, compliance, information technology and consumer experience teams are working closely to ensure we act in accordance with evolving best practices to safeguard user information.