Medtronic discloses two data breaches last year; says no patient data stolen but some missing

Medtronic Inc. revealed Friday in a regulatory filing that hackers managed to infiltrate the company's computer systems in two separate incidents last year.

The Fridley-based company said no patient data was stolen but acknowledged that some records could no longer be located after hackers entered the network of its diabetes unit during one of the cyberattacks.

Medtronic, the world's largest stand-alone medical device maker, said the other attack was "believed to originate from hackers in Asia." Medtronic said two other large medical device manufacturers were victims of the same intrusion, but did not disclose who they were.

In February, the San Francisco Chronicle, citing an unnamed source, reported that Medtronic, Boston Scientific and St. Jude Medical had been collectively hacked during the first half of 2013. "For security reasons, Boston Scientific does not comment on the specifics of any attempted attacks," the company said Friday. St. Jude Medical did not return a phone call.

The Medtronic filing offered no other details about the scale of the attacks or whether other company information was lost. When contacted by the Star Tribune, the company declined to comment beyond its annual filing with the Securities and Exchange Commission.

In that document, Medtronic said it notified the government of the diabetes business breach at the time and has since provided details to the U.S. Department of Health and Human Services Office of Civil Rights. "While we found no evidence of a breach or inadvertent disclosure of the patient records, we were unable to locate them [patient records] for retrieval," the company said in the filing.

In the attack involving Medtronic and two other companies, Medtronic said it was contacted by some state attorneys general about whether it would be necessary to notify patients. Medtronic said it "provided them information about our analysis and conclusions that patient data was not affected."

While almost every state has data security laws, notification protocols vary, said Ed Mierzwinski, consumer project director of the Public Interest Research Group.

"In California, if data is lost, it is presumed at risk," Mierzwinski said. "The position of consumer groups is the stronger [the disclosure rules], the better. If Medtronic says, 'We didn't lose anything, but we can't find it,' it's not really a good answer."

In many states, companies have the discretion to determine, as Medtronic did, if unauthorized people got access to data before warning individuals.

Companies move cautiously because they don't want to alarm patients or customers and hurt their brands without legitimate reasons, said Chad Boeckmann, CEO of Secure Digital Solutions of Minneapolis. If all suspicious computer activity were reported, he explained, the public would be "inundated with data."

Boeckmann said Medtronic's efforts to contact various government constituencies demonstrate that it wanted to be in compliance with rules protecting patient privacy. As long as patient safety and the protection of customer information drive the decisionmaking, Boeckmann said, giving businesses discretion is fine.

"There is," he said, "a new awareness at the board level of the organizations we work with about cybersecurity and breach response."

Steve Alexander • 612-673-4553