Medtronic Admits Hack Attack; Says Records Missing but Not Affected

Medtech giant Medtronic disclosed in its most recent annual report that it was victimized by hackers infiltrating the company's computers--and that two other medical device companies faced similar hacking incidents.

"Medtronic, along with two other large medical device manufacturers, discovered an unauthorized intrusion to our systems that was believed to originate from hackers in Asia," the annual filing with the SEC said. The other two manufacturers were not named, but in February we reported that the San Francisco Chronicle, citing an unnamed source, had published an article in which source claimed that Medtronic, Boston Scientific, and St. Jude Medical had been collectively hacked during the first half of 2013.

Medtronic declined to comment beyond its SEC filing to the Star Tribune of Minneapolis.

In the annual SEC filing, the company said: "We concluded that the intrusion did not breach any of the databases where we store patient data."

Regarding governmental reporting requirements, Medtronic said, "We received inquiries from some State Attorneys General regarding whether notification to patients was necessary, and provided them information about our analysis and conclusions that patient data was not affected."

Medtronic, though, also acknowledged that there were troubles retrieving patient-related records from its diabetes business unit, though the company found no evidence of a security breach.

Medical device cybersecurity is a topic that's been receiving perhaps belated attention of late. As we reported earlier this month, FDA has released a Draft Guidance, "Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices," intended to supplement its "Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices" and "Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software."

At the end of April, FBI issued a warning on medical device hacking. And in May, Heartbleed became a worry for medtech as well as consumers across the world. 

Stephen Levy is a contributor to Qmed and MPMN.