June 6, 2023

Medtronic MiniMed has disclosed data to third parties without authorization due to the use of tracking or pixel technology.

It has notified 91,325 InPen Diabetes Management users of mobile App shows both their personal and health data was disclosed to Google due to the use of Google Services’ tracking and authentication technologies, including Analytics, Crashlytics, and Firebase Authentication.

The tools were designed to gather information to identify technical issues, assess the performance of the app, and understand user needs and preferences. The language mirrors the previous pixel-tracking disclosures of other health entities released within the last 10 months.


Medtronic was wholly unaware of the possible disclosure, as the use of the tools on the app was reviewed at a consolidated level, not at the individual level, and does not directly identify individual patient information.

Medtronic first discovered the data sharing on Feb. 13, which was caused by the app’s tracking tools disclosing certain details about users’ actions within the app. Upon discovery, Medtronic launched an investigation to understand the scope of the data sharing.

Medtronic uses Firebase Authentication to securely log on its users into the app. Certain user data was transmitted to Google. After users logged into their account, Firebase Authentication would then transmit some user data to Google in connection with their registration on the InPen App.

While the investigation confirmed that no Social Security numbers or any financial details were involved, users were notified their email and IP addresses, usernames and credentials, timestamp information tied to specific InPen App events, and “certain unique identifiers” connected to user accounts or mobile devices.

Namely, unique Medtronic Diabetes user identifiers, the unique string of numbers or characters assigned individual users, unique numbers tied to each InPen App download, and identifiers tied mobile devices, like mobile advertising IDs, identifiers for advertisers (IDFAs), Android Advertising IDs for Android devices (AAIDs), and Identifier for Vendors for iOS devices (IDFVs)).


Since then, Medtronic has removed Google Analytics from the latest version of its InPen App as it works on a plan to transition from Crashlytics and Firebase Authentication to new crash reporting and authentication platforms.

Medtronic is currently assessing how to reduce the risk of possible unintended disclosures of protected health information in the future.

Leave a Reply

%d bloggers like this: