Eric Wittgrove of Knobbe informs us of yet another tracking-related lawsuit involving health data:
Medtronic Minimed, Inc. and Minimed Distribution Corp. (“Medtronic”) were sued in a class action complaint in the Central District of California on August 30, 2023, by users of Medtronic’s InPen® system.
[…]
The complaint asserts that the Private Information improperly disclosed includes the user’s name, phone number, email address, date of birth, IP address, status as a person with diabetes, information about specific medical conditions and treatment and related health information (such as insulin use), unique identifiers tied to a user’s InPen account or mobile device, and “other sensitive personal and demographic information.” With all this information, the complaint alleges the Tracking Tools can individually identify users, and this information was sold. The plaintiffs assert that these actions invade customer privacy and violate Medtronic’s own Privacy Policies, HIPAA, industry standards (the AMA’s Code of Medical Ethics), and Federal Trade Commission (FTC) data security guidelines. The complaint further asserts that Medtronic “has admitted that it shared such information with Google and other third parties” and that Medtronic “publicly acknowledged its collection and dissemination of its Users’ Private Information” in “April of 2023” in a public notice.
Read more at JDSupra.
As a reminder: in 2022, HHS and FTC started sending out letters and bulletins warning entities about these tracking technologies. They repeated the cautions in new letters sent out in July. HHS OCR does not seem to have taken any enforcement action, however, against any specific entities — or if they are pursuing enforcement in any cases, they have not yet been made public.