Though medical device maker Medtronic revealed that hackers had entered network on two separate occasions last year in its Securities and Exchange Commission (SEC) filing and didn’t steal anything, the incident appears to be in a bit of a compliance grey area.
According to the Star Tribune, hackers from Asia were not able to steal any patient data, but Medtronic acknowledged that it has been unable to locate some patient records after hackers were able to access its diabetes unit network. Medtronic explained in the filing that it detailed the exposure to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). “Medtronic, along with two other large medical device manufacturers, discovered an unauthorized intrusion to our systems that was believed to originate from hackers in Asia,” it said. “While we found no evidence of a breach or inadvertent disclosure of the patient records, we were unable to locate them [patient records] for retrieval.”
The Tribune reported that some state attorney generals asked Medtronic whether it would be necessary to report the data breach to affected patients, but the company said it “provided [the attorney generals] information about our analysis and conclusions that patient data was not affected.”
As Devin Jopp, Ed.D., Workgroup for Electronic Data Interchange (WEDI) President and CEO, recently told HealthITSecurity.com, WEDI issued breach risk assessment tips a few months ago because so many organizations need to make breach notification decisions and aren’t quite sure what to do. “We wanted to help organizations know which incidents are reportable and those that don’t need to be reported,” said Jopp. “There were some instances where organizations were reporting things that they thought were breaches but were really didn’t rise to the level of what a breach is.”
Without more details beyond the SEC filing, which didn’t indicate how many patients’ records were lost, it’s hard to review the incident from a federal perspective. A San Francisco Chronicle report said that Boston Scientific and St. Jude Medical were also victims of the same hackers, but there aren’t many details on those attacks either.