In a filing with the Securities and Exchange Commission Friday, Medtronic (MDT) said in 2013 it informed the Health and Human Services Department it was unable to access certain records in its diabetes business unit.
Continue Reading Below
The medical device maker said it, along with two other large medical device manufacturers, became aware of unauthorized access to its systems, likely from hackers in Asia. Medtronic added, though, despite evidence of a breach, it doesn’t believe patient data was compromised or that it happened where patient data was stored.
“We received inquiries from some State Attorneys General regarding whether notification to patients was necessary, and provided them information about our analysis and conculsions that patient data was not affected,” the company said in the filing.
Medtronic said it has provided the Health and Human Services Office of Civil Rights with information about the issue as well as information on the firm’s security practices.
“We are committed to maintaining the security and privacy of patients’ health information and believe that we meet the expectations of the HIPPA rules,” Medtronic said in the filing.
In 2009, Congress modified certain provisions of the HIPPA privacy and security rules, requiring HHS to publish more specific security standards and increase requirements for companies to notify the public about breach scenarios. Those standards were finalized and put into place in 2013. The new regulations allow firms to be subject to HHS civil and criminal liability enforcement, whereas prior to September 2013, those same companies would receive indirect HHS enforcement.
Continue Reading Below
As a result, Medtronic said the potential for enforcement action against it is greater.
“While we believe we are and will be in substantial compliance with HIPAA standards, there is no guarantee the government will not disagree. Enforcement actions can be costly and interrupt regular operations of our business. Nonetheless, these requirements affect a limited subset of our business,” the firm said in its filing.
Medtronic reinforced the notion any possible action against it in relation to the breach would likely not have a material affect on its business, but said while it has not been named in any lawsuits related to consumer data breaches, if a substantial loss of data were to happen, it could become a target.
Shares of Medtronic were nearly 1% lower in recent trade.