It hasn’t been in the headlines — at least not yet — but Medtronic, a well-known medical device company, is notifying some customers after an incident one employee’s devices may have compromised personal or patient information.
According to a notification letter, on March 12, an employee’s computer, phone, and iPad were “taken and accessed for a short period of time” by an unauthorized person. The firm moved quickly to recover the devices and to investigate, but they could not determine with absolute confidence whether the individual accessed information or took any screenshots of information.
As a result of the uncertainty, they are notifying anyone who may have been impacted, although the exact number of patients was not revealed in the notification letter to customers. The types of information that may have been accessed included name, address, phone number, email, date of birth, and Social Security number.
Those being notified are being offer 12 months of credit and Cyberscan monitoring, a $1 million insurance reimbursement policy, and fully managed ID theft recovery services with IDX.
As soon as the firm discovered the problem, the employee’s system access was suspended, and the employee was terminated related to this incident, it seems. It is not clear from the letter signed by Mark Grant, VP Americas, Diabetes, how the “unauthorized” person got the employee’s devices and was able to access them, and whether the employee had knowingly given the individual the devices, left them unattended, or if there is some other explanation. Nor does the notification explain if these were employer-issued devices that had been configured for security by the firm or if these were personal devices that the employee used for work with the employer’s knowledge.
The notification appears below. See what you think.