Medtronic reveals cyberattack and patient data loss

Medtronic ($MDT) revealed that it was the target of a cyberattack in 2013 and that it lost patient records on a separate occasion, hearkening back to hacking rumors that circulated earlier this year.

According to regulatory documents filed on Friday, the med tech giant said that it, along with two other large medical device manufacturers, discovered an "unauthorized intrusion" to its systems last year that could be traced back to hackers in Asia. Medtronic emphasized that the attack did not breach any databases with patient information, and that the company worked with government officials to investigate the attack.

The company also disclosed that it lost an unnamed number of patient records from its diabetes unit in a separate incident, but does not know what type of information was included in the records. "While we found no evidence of a breach or inadvertent disclosure of the patient records, we were unable to locate them for retrieval," Medtronic said in its 10-K filing.

In February, Medtronic, Boston Scientific ($BSX) and St. Jude Medical ($STJ) were hit with a "very thorough" cyberattack that possibly originated in China, the San Francisco Chronicle reported. While the motive was unknown, hackers reportedly broke into the computer networks of the three medical device makers during the first half of 2013--a breach that might have stayed open for "several months," according to the Chronicle.

The hack could indicate a bigger problem in the industry, as device manufacturers face mounting pressure from industry groups and regulators to bolster security for its systems and products. Tom Kellermann, chief security officer with security software company Trend Micro, told Reuters that medical device makers focus too much on complying with government regulations for securing patient information with data encryption, and often overlook securing internal networks from hackers.

"The security posture of most device manufacturers is in critical condition," said Kellermann (as quoted by Reuters).

Meanwhile, regulators have taken note and are beefing up cybersecurity efforts. Last year, the FDA issued formal guidance for the management of cybersecurity in medical devices, and created a "cybersecurity laboratory" that stages deliberate cybersecurity attacks to weed out product defects. Some devicemakers remain wary of the FDA's oversight, but complying with new rules and legislation could be critical for companies who want to move their products through the pipeline, Battelle engineering manager Melissa Masters told MassDevice.

"Within the year, I would guess that we're going to start seeing devices turned away from the FDA and not getting 510(k) clearance or [premarket approval] because they have not taken cybersecurity concerns from the beginning and integrated that to the process appropriately," Masters said. "It's going to be unfortunate, because I also think that a lot of companies don't have this expertise within their organizations already."

- here's Medtronic's SEC filing
- read the Reuters story
- get more from MassDevice
- here's the San Francisco Chronicle report

Suggested Articles

InterVene secured $15 million to validate its catheter-based treatment for correcting failed one-way valves in the veins of the legs.

LabCorp, Philips and Mount Sinai are coming together to develop an AI-driven pathology center of excellence, aimed initially at cancer diagnosis.

The FDA followed through with plans to end its Alternative Summary Reporting program, making 20 years’ worth of device safety data publicly available.