MA Medical Device Company Reports Healthcare Data Breach, 29K Impacted

January 20, 2023 - Insulet Corporation, a medical device company headquartered in Massachusetts, reported a healthcare data breach to HHS impacting 29,000 individuals. Insulet operates the Omnipod Insulin Management System, which provides continuous insulin delivery via a wearable insulin pump.

Insulet recently sent a Medical Device Correction letter to Omnipod DASH customers, its breach notice explained. The letter was followed-up by a receipt acknowledgement request send via email.

“We believe that the configuration of web pages used for receipt verification exposed some limited personal information about you to certain Insulet website performance and marketing partners,” the letter explained.

Specifically, the receipt verification email contained a clickable link that led to a unique verification page on the Omnipod website. The unique URL for each customer included the customer’s IP address, whether the customer is an Omnipod DASH user, and whether the customer has a Personal Diabetes Manager.

Insulet believes that the information was exposed to certain website performance and marketing partners.

“After discovering the privacy incident on December 6, 2022, we disabled all tracking codes on the MDC acknowledgment web page that same day so that no further exposure of PHI as described in this letter could occur,” the notice explained.

“Where possible, we are also requesting that our partners delete logs of the IP addresses and unique URLs so that they would not continue to have access to that information.”

Other healthcare organizations have reported breaches stemming from the use of marketing tools and tracking pixels from tech companies. For example, Advocate Aurora Health notified 3 million patients of a data breach that originated from its use of Meta and Google tracking pixels. Meta is now facing multiple lawsuits relating to how it handles sensitive health data.

Minnesota Department of Human Services Discloses Breach

In November 2022, a parent called the Minnesota Department of Human Services (DHS) to request copies of their Minnesota Medical Assistance Program Parental Fee billing statements from September, October, and November 2021.

A DHS employee accidentally emailed the parent billing statements of 4,307 individuals involved in the program, resulting in a data breach. The parent called DHS to inform the department of the error and agreed to destroy the information they received.

The billing statements included first and last names, addresses, DHS-generated billing account numbers, and parental fee account activity.

“DHS implemented new procedures to address the error that led to the incident, and communicated these procedure changes to staff,” a notice to impacted individuals stated.

“The DHS program area coached the employee involved in the incident on how to send private client information using secure procedures. DHS will conduct additional training of staff on using and protecting data, with assistance from the DHS Privacy Office.”

Rhode Island Department of Health Reports Breach

The Rhode Island Department of Health (RIDOH) informed 8,800 of a data breach that occurred between July and October 2022. On October 21, RIDOH learned that a hyperlink to a spreadsheet file containing information about individuals receiving food deliveries while in isolation or quarantine during the COVID-19 pandemic was accidentally included in certain emails sent by RIDOH employees.

The emails were sent to other individuals who received COVID-19 food box deliveries. The files contained names, addresses, phone numbers, the individual’s specific food needs, household information, and delivery information.

“As soon as this issue was discovered, we immediately restricted access to this file. We also began investigating this issue immediately. This investigation included extensive email searches to determine how widely the link to the file had been shared,” the notice stated.

“We are taking several added steps to prevent unintended releases of information in the future. This includes additional trainings for staff and enhanced security measures for the handling of sensitive information.”

RIDOH said it was unaware of any security concerns relating to the issue and will notify individuals if specific security concerns are identified in the future.