Ah, kudos to Patrick Ouellette of HealthITSecurity.com, who dug into recent reports of a Medtronic breach more deeply than I did. While most media reiterated Medtronic’s claims that no patient data was involved, Patrick reports:
Though medical device maker Medtronic revealed that hackers had entered network on two separate occasions last year in its Securities and Exchange Commission (SEC) filing and didn’t steal anything, the incident appears to be in a bit of a compliance grey area.
According to the Star Tribune, hackers from Asia were not able to steal any patient data, but Medtronic acknowledged that it has been unable to locate some patient records after hackers were able to access its diabetes unit network. Medtronic explained in the filing that it detailed the exposure to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). “Medtronic, along with two other large medical device manufacturers, discovered an unauthorized intrusion to our systems that was believed to originate from hackers in Asia,” it said. “While we found no evidence of a breach or inadvertent disclosure of the patient records, we were unable to locate them [patient records] for retrieval.”
Read more on HealthITSecurity.com.
This poses something of a dilemma in terms of whether notification is required under HITECH. Medtronic concluded that “patient data was not affected,” but if they can no longer find it on their server, then the records were either downloaded and deleted, exported and deleted, just deleted, or perhaps destroyed during the forensics process, as four possibilities. If their forensics can confirm that the data weren’t downloaded or exfiltrated, and if they have backups of the patient data, then what is the risk to patients?