UPDATE 2-Medtronic says was victim of cyber attack, lost patient records
(Adds comment from cybersecurity expert)
By Jim Finkle
BOSTON, June 20 (Reuters) - Medtronic Inc, the world's largest stand-alone medical device maker, was the victim of a cyber attack and lost some patient records in separate incidents last year, it said in a regulatory filing on Friday.
"Medtronic, along with two other large medical device manufacturers, discovered an unauthorized intrusion to our systems that was believed to originate from hackers in Asia," the company said in a 10-K filing with the U.S. Securities and Exchange Commission.
The company said in the filing the hackers did not breach any databases that store patient information, but it disclosed a separate incident in which it lost an undisclosed number of records of patients from its diabetes business unit, which sells insulin pumps and related products. It was not know what type of information was contained in the patient records.
"While we found no evidence of a breach or inadvertent disclosure of the patient records, we were unable to locate them for retrieval," the document said.
It said the U.S. Department of Health and Human Services had questioned Medtronic about the loss of the records, and that the company provided the agency with information on the problem and its data security practices.
Medtronic officials could not be reached to elaborate on the contents of the 10-K filing, which did not identify the other companies involved in the breach.
Tom Kellermann, chief security officer with Trend Micro Inc , which makes security software, said the cybersecurity of medical device makers tends to lag behind industries such as banking and defense contractors.
"The security posture of most device manufacturers is in critical condition," said Kellermann, who was not privy to details of the attack on Medtronic.
He said medical device makers focus too much on complying with government regulations for securing patient information with data encryption, but they fail to properly monitor and secure internal networks to identify and stop hackers who get past traditional firewalls and anti-virus software.
Medtronic's disclosure came less than a week after announcing plans to buy Dublin-based Covidien Plc for $42.9 billion.
The Covidien deal, announced on June 15, would create a close competitor in size to the medical device business of industry leader Johnson & Johnson Co.
Shares in Minneapolis-based Medtronic fell 1.2 percent to $63.89 in mid-day trade, while the S&P 500 Index was up 0.1 percent. (Editing by Jeffrey Benkoe)
We are living longer but not creating financial plans to keep pace. Advisers give tips on how to make sure you don’t outlive your money. Video