Patients logging in to track their insulin levels may be giving away protected health information (PHI) without knowing it. Health apps linked to website trackers using Google Analytics are obtaining massive amounts of personal information for marketing purposes.
Medtronic MiniMed, Inc. (MiniMed), a health technology company headquartered in Minneapolis, MN, is facing a federal class action lawsuit for breach of privacy caused by its usage of Google Analytics in its InPen diabetes management app and services.
Web trackers are facing intense scrutiny by regulators at the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) for privacy concerns. Multiple other similar class action lawsuits related to website trackers have been filed over the last year.
The MiniMed Lawsuit
This lawsuit was filed on behalf of a plaintiff identified as A.H. who has used MiniMed’s InPen app and services since approximately July 2020. According to the lawsuit, Minimed encourages InPen users to sign up for its diabetes management app for iOS and Android, promoting the device and digital platform as an integrated system that “combines insulin pumps and continuous glucose monitoring” for those with type 1 and type 2 diabetes.
The third-party tracking technologies used by MiniMed apps include Google Analytics, Crashlytics and Firebase Authentication; these technologies acquire data on patients’ medical conditions and communications and uses the data for marketing and analytics and, ultimately, to increase profits. The complaint claims that InPen users are unaware and have not consented to this, and therefore their privacy has been unlawfully breached.
The lawsuit is asking for financial damages and extended credit monitoring for the plaintiff and class members, as well as injunctive relief requiring MiniMed to strengthen its data security systems and monitoring procedures. From the lawsuit:
“MiniMed’s disclosures of PII and PHI to Google is particularly problematic because Google provides webservices—such as YouTube and Gmail—that give it access to InPen users’ real identity and device identifiers. Plaintiff used his mobile device to access the App, and he also uses it to access his Gmail account. As a result, his PII and PHI was automatically linked to his real identity. Even if Plaintiff did not possess a Gmail account, Google would have nonetheless received information that allows it to individually identify him.”
Even non-Google users can be individually identified via the information collected on the InPen apps, because MiniMed transmits to Google patients’ email addresses, IP addresses, and related identifiers, according to the complaint.
MiniMed and HIPAA
HIPAA does not provide individuals the right to sue in court, so this class action is based on other claims, including, among others, invasion of privacy, breach of fiduciary duty, breach of contract, violations of the federal Electronic Communications Privacy Act (ECPA), and the California Invasion of Privacy Act (CIPA).
Although it is not a HIPAA lawsuit per se, the complaint uses HIPAA standards, and OCR’s own policy stance on website tracking technologies in its argument that MiniMed failed to maintain the highest degree of care and protection for patient data it acquired.
MiniMed’s Notice of Privacy of Practices acknowledges that it is a HIPAA covered entity in relation to its U.S. customers of Medtronic Diabetes. Given OCR’s recent heightened interest in website tracking technology, MiniMed will likely face scrutiny by OCR in addition to the lawsuit. This is only the beginning – the lawsuit was just filed and an OCR investigation could take many months to unfold, if it happens. We will monitor the case and update as it progresses.