Insulet alerts 29,000 Omnipod Dash insulin pump users to data breach linked to recall

Insulet has issued an alert for a data breach that may have compromised the health data of thousands of users of its Omnipod Dash insulin pumps.

The devicemaker notified affected users and filed a report of the breach with the U.S. Department of Health and Human Services on Jan. 5. According to the HHS’ database, the cybersecurity incident spans around 29,000 Omnipod Dash users.

The Omnipod Dash device is a simplified version of Insulet’s flagship Omnipod 5 pump. Both offer a tubeless, waterproof makeup and three days’ worth of around-the-clock insulin delivery, but the Dash model doesn’t share its sibling’s ability to sync with a user’s continuous glucose monitor or wirelessly connect to their smartphone. Insulet didn’t immediately respond to a request for comment on the breach.

In its letter to the affected customers—a copy (PDF) of which was published online by the Montana Department of Justice—Insulet said the breach was linked to the ongoing recall of the remote controllers used with the Dash devices.

The recall began in October—and was given the FDA’s most serious Class I rating a month later—after the company discovered that the batteries in the smartphone-esque Personal Diabetes Managers (PDMs) were at risk of swelling, leaking or overheating over long periods of use. Insulet said at the time that it would voluntarily replace all PDMs currently in use, an effort that was expected to cost the company between $35 million and $45 million to complete.

According to the letter about the data breach, Insulet sent Dash users an email on or around Dec. 1 requesting acknowledgment that they’d received the medical device correction notice detailing the recall. Thanks to an improper configuration of the company’s online “cookies” and other trackers, clicking the individualized link in the email inadvertently shared certain protected health information with some of Insulet’s website performance and marketing partners, the company said.

Though no financial information, social security numbers, email addresses or passwords were exposed in the breach, the Insulet partners were able to see users’ IP addresses and whether they use a Dash pump and/or a PDM controller.

Insulet told the affected users that it has completed “an extensive review and investigation” of the breach, which the company is taking “very seriously.”

Immediately upon discovering the breach on Dec. 6—several days after the acknowledgment requests were sent out—Insulet disabled all of the clickable tracking codes to prevent further data exposure, the company said in the letter. Additionally and “where possible,” Insulet said, “we are also requesting that our partners delete logs of the IP addresses and unique URLs so that they would not continue to have access to that information.”