Insulet reports data breach affecting 29,000 insulin pump users

The data breach occurred when the company requested users acknowledge they had received a notice about a recall of the Omnipod DASH Insulin Management System.
By Jessica Hagen
12:38 pm
Share

Photo courtesy of Insulet

 

 

Mass.-based medical device company Insulet issued a notice of a data breach that may have compromised the protected health information of 29,000 users of its recently recalled Omnipod DASH Insulin Management System.

In November, the FDA posted a notice about a Class I recall of Insulet's Omnipod DASH Insulin Management System Personal Diabetes Manager, following complaints about the battery, including swelling, fluid leaking and extreme overheating that may create a fire hazard. 

The company issued a voluntary device recall one month prior and notified users via an Urgent Medical Device Correction email.

In December, Insulet sent a follow-up letter requesting users acknowledge they received a medical device correction letter with a link to a unique webpage that inadvertently exposed IP addresses and whether customers used the DASH system and PDM to website performance and marketing partners.

According to a copy of the letter Insulet sent to customers regarding the data breach, the company said "configuration of web pages used for receipt verification exposed some limited personal information" about customers. Financial information, email addresses, passwords and social security numbers were not disclosed. 

"We notified customers that some protected health information (PHI) such as use of the Omnipod DASH product and use of a PDM, linked with an IP address, may have been exposed. IP addresses are considered personal identifiers; however, they are linked to the location or the network through which a user connects with the internet and are not necessarily unique to an individual," a spokesperson for Insulet told MobiHealthNews via email. 

"lnsulet takes this event very seriously. After discovering the privacy incident on December 6, 2022, we disabled all tracking codes on the relevant acknowledgment web page that same day so that no further exposure of PHI could occur. Where possible, we are also requesting that our partners delete logs of the IP addresses and unique URLs so that they would not continue to have access to that information."  

Insulet notified the U.S. Department of Health and Human Services of the data breach on Jan. 5, according to the department's database

THE LARGER TREND

The company launched its Omnipod 5 Automated Insulin Delivery System into the full U.S. market in early August after receiving FDA 510(k) clearance just one year ago

In November, Insulet released its 2022 Q3 earnings, noting the company beat its revenue expectations with $326.1 million, a 23.7% increase in constant currency compared to $275.6 million from last year. 

Following the DASH recall, the company said it would ship users an updated PDM upon availability, which it said would cost an estimated $35 million to $45 million.

The FDA's recall classification came just days after the company issued a nationwide voluntary medical device "correction" for its Omnipod 5 controller due to charging port and cable issues. 

The publicly-traded company received 24 reports that heat generated due to a poor connection between the cable and the port is causing the controller's charging port or cable to melt or become discolored or deformed. The excess heat can lead to a fire or cause minor burns if a user touches that area of the controller. 

Share