Skip to main content
close search
site logo
Dive Brief

Insulet reports personal-data leak of 29,000 insulin pump customers

Published Jan. 24, 2023
By
Contributor
A phone-like device shows a bolus insulin measurement, with a white, U-shaped device to the right.
Insulet is replacing the personal diabetes manager component (left) of its Omnipod DASH system because of battery problems. Courtesy of Insulet Corp.

Dive Brief:

  • Insulet said it may have revealed certain personal information about 29,000 Omnipod DASH customers to some of its partners.
  • In an email to customers, the insulin pump manufacturer said an earlier recall communication notifying customers of battery problems with the Omnipod DASH revealed customers’ IP addresses and their use of the device.
  • Insulet said its website performance and marketing partners were the only third parties to see the data and the leak was fixed on the day it was discovered late last year.

Dive Insight:

The problem stemmed from an email Insulet sent on Dec. 1 to request acknowledgment of an earlier medical device correction notice. Each email included a link to a unique verification page. The URL for the unique verification pages included the customer’s IP address, which someone could use to identify their location, and showed they used Omnipod DASH and a personal diabetes manager. 

Insulet shared the URLs with its website performance and marketing partners through cookies and other trackers embedded in the code on the acknowledgment page. The company’s notice lacks details of the partners that accessed the URLs.

Omnipod.com, the domain covering the unique verification page URLs, asks users to accept multiple cookies. The list includes cookies from VWO, a provider of an A/B testing tool, and Optanon, a service that places a custom cookie disclosure notice on websites. The notice on Omnipod.com says the site may share information with social media, advertising and analytics partners.

Where possible, Insulet is asking its partners to “delete logs of the IP addresses and unique URLs so that they would not continue to have access to that information.” Insulet disabled all tracking codes on the acknowledgment page on Dec. 6, the day it learned of the privacy incident. The company has reported the incident to the U.S. Department of Health and Human Services. 

The incident comes two years after a third party gained unauthorized access to certain systems run by Insulet’s online customer training vendor. The third party could have accessed the first and last names, email addresses, training records and online course information of Insulet customers.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Echosens Launches its Liver Health Management (LHM) Platform Globally, Streamlining Liver Care
From Echosens
November 04, 2024
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Innoventric Secures $28.5M and Unveils Groundbreaking Tricuspid Regurgitation Treatment to Hel…
From Innoventric
October 29, 2024
Survey Shows Growing Dependence on Contracts Among Medical Device Companies, Even as Contract …
From AcuityMD
October 21, 2024
Editors' picks
Latest in Medical Devices
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell