Data Breach at Insulet Corporation and Minnesota Department of Human Services

29,000 Insulet Corporation Customers Affected by Tracking Code Privacy Incident

The medical device company Insulet Corporation based in Massachusetts has just informed 29,000 of its Omnipod DASH clients concerning a new privacy breach. The company already sent a Medical Device Correction letter to customers. Because it is important to apply the update, Insulet Corporation emailed a follow-up receipt acknowledgment request on December 1, 2022.

The email messages contained a clickable hyperlink that brought clients to a web page for verifying receipts, but there was a mistake in the configuration of that web page resulting in an impermissible disclosure of the protected health information (PHI) of customers. Every client was emailed a unique web link that contained each one’s IP address, to note if the client was a user of Omnipod DASH and if they are given a Personal Diabetes Manager.

The MDC acknowledgment pages had cookies and trackers embedded in them that transmitted specifics of the web addresses to third-party website performance and advertising partners. Insulet stated the privacy violation was detected on December 6, 2022. The company disabled all tracking technologies on the web pages to stop further exposure of PHI and sent requests to Insulet’s advertising partners to delete the records of the IP addresses and unique web addresses.

4,307 Individuals Affected by Error of Minnesota Department of Human Services Employee

A Minnesota Department of Human Services (DHS) employee made a mistake that led to the impermissible disclosure of the PHI of 4,307 residents of Minnesota. On November 18, 2022, while responding to a client’s request for a copy of their own information, the employee inadvertently provided the billing statements of 4,307 persons who signed up for Medical Assistance.

The investigation did not find any evidence that indicate the download or misuse of information. The patient who received the information informed DHS concerning the mistake and stated the email would be erased. The DHS affirmed that the statements did not contain highly sensitive data, for example, banking data, credit card numbers, and Social Security Numbers. All affected persons received notification letters on January 11, 2023.