- Insulet said it may have revealed certain personal information about 29,000 Omnipod DASH customers to some of its partners.
- In an email to customers, the insulin pump manufacturer said an earlier recall communication notifying customers of battery problems with the Omnipod DASH revealed customers’ IP addresses and their use of the device.
- Insulet said its website performance and marketing partners were the only third parties to see the data and the leak was fixed on the day it was discovered late last year.
The problem stemmed from an email Insulet sent on Dec. 1 to request acknowledgment of an earlier medical device correction notice. Each email included a link to a unique verification page. The URL for the unique verification pages included the customer’s IP address, which someone could use to identify their location, and showed they used Omnipod DASH and a personal diabetes manager.
Insulet shared the URLs with its website performance and marketing partners through cookies and other trackers embedded in the code on the acknowledgment page. The company’s notice lacks details of the partners that accessed the URLs.
Omnipod.com, the domain covering the unique verification page URLs, asks users to accept multiple cookies. The list includes cookies from VWO, a provider of an A/B testing tool, and Optanon, a service that places a custom cookie disclosure notice on websites. The notice on Omnipod.com says the site may share information with social media, advertising and analytics partners.
Where possible, Insulet is asking its partners to “delete logs of the IP addresses and unique URLs so that they would not continue to have access to that information.” Insulet disabled all tracking codes on the acknowledgment page on Dec. 6, the day it learned of the privacy incident. The company has reported the incident to the U.S. Department of Health and Human Services.
The incident comes two years after a third party gained unauthorized access to certain systems run by Insulet’s online customer training vendor. The third party could have accessed the first and last names, email addresses, training records and online course information of Insulet customers.