- Medtronic has issued an Urgent Medical Device Correction for its MiniMed 600 series insulin pump system after discovering an issue that could result in unauthorized access.
- After gaining access, the unauthorized user could cause the pump to deliver too much or too little insulin, potentially resulting in outcomes including death. Medtronic has no evidence that the vulnerability has been exploited but is advising users to take precautions.
- The notice is the latest in a series of issues related to MiniMed pumps, which were the subject of recalls in 2018 and 2019 that led to a warning letter late last year and a setback to Medtronic’s latest product launch.
The urgent notice issued by Medtronic relates to the MiniMed 630G and 670G pumps. The pumps are part of a set of components that need to communicate with each other, including a continuous glucose monitoring transmitter, blood glucose meter and USB device. In internal testing, Medtronic found that communication between the components can be compromised in specific circumstances.
To exploit the vulnerability, a nearby person would need to gain access to the pump at the same time it’s being paired with the other system components. The vulnerability cannot be exploited over the internet.
If someone gained unauthorized access, they could cause the pump user to have low blood sugar, hypoglycemia, or high blood sugar, hyperglycemia, by altering insulin delivery. The consequences of the delivery of an insulin bolus could include seizure, coma or death, and slowing or stopping the delivery of insulin could lead to diabetic ketoacidosis.
Medtronic has no evidence that the vulnerability has been exploited in the real world but it is asking patients to turn off the “remote bolus” feature of their pumps as a precaution. The feature, which is on by default, allows users to deliver an insulin bolus without physically accessing the pump. Medtronic has previously reported a vulnerability related to this feature on other MiniMed pumps.