Medtronic Minimed, Inc. and Minimed Distribution Corp. (“Medtronic”) were sued in a class action complaint in the Central District of California on August 30, 2023, by users of Medtronic’s InPen® system. The lawsuit alleges that Medtronic engaged in “transmission and disclosure of Plaintiff’s and Class Members’ personally identifiable information (‘PII’) and protected health information (‘PHI’) [collectively, ‘Private Information’]… to Google and other third parties via tracking and authentication technologies – including Google Analytics (and others).”
The InPen® system, as described in the complaint, is “a smart insulin delivery system” that “help[s] people with type 1 or type 2 diabetes take the right amount of insulin, at the right time.” The InPen® system combines a Bluetooth-enabled insulin pen (“Pen”) with a corresponding mobile app (the InPen Diabetes Management app, or “App”), as shown below in an image from Medtronic’s website. According to the complaint, the App “automatically records the size and timing of insulin doses” and alerts users when insulin is not taken.
The plaintiffs allege the InPen® system has “Tracking Tools” (including “Google Analytics, Crashlytics, Firebase Authentication, and related tools”) “installed” on the App and accompanying digital platforms. The complaint goes on to assert that the InPen® system “collect[s] a treasure trove of personal data patients communicate in relation to their healthcare, which M[edtronic] secretly mines, transmits, and intercepts for its own benefit,” all “without first obtaining Plaintiff’s  consent or authorization.”
The complaint asserts that the Private Information improperly disclosed includes the user’s name, phone number, email address, date of birth, IP address, status as a person with diabetes, information about specific medical conditions and treatment and related health information (such as insulin use), unique identifiers tied to a user’s InPen account or mobile device, and “other sensitive personal and demographic information.” With all this information, the complaint alleges the Tracking Tools can individually identify users, and this information was sold. The plaintiffs assert that these actions invade customer privacy and violate Medtronic’s own Privacy Policies, HIPAA, industry standards (the AMA’s Code of Medical Ethics), and Federal Trade Commission (FTC) data security guidelines. The complaint further asserts that Medtronic “has admitted that it shared such information with Google and other third parties” and that Medtronic “publicly acknowledged its collection and dissemination of its Users’ Private Information” in “April of 2023” in a public notice.
The next steps will be for the plaintiffs to formally notify Medtronic of this lawsuit (referred to as “service”), if that has not already occurred. Once service occurs, Medtronic will likely have up to 21 days to formally respond to the complaint. The case docket is available here.