(Adds comment from cybersecurity expert)
By Jim Finkle
BOSTON, June 20 Medtronic Inc, the
world's largest stand-alone medical device maker, was the victim
of a cyber attack and lost some patient records in separate
incidents last year, it said in a regulatory filing on Friday.
"Medtronic, along with two other large medical device
manufacturers, discovered an unauthorized intrusion to our
systems that was believed to originate from hackers in Asia,"
the company said in a 10-K filing with the U.S. Securities and
The company said in the filing the hackers did not breach
any databases that store patient information, but it disclosed a
separate incident in which it lost an undisclosed number of
records of patients from its diabetes business unit, which sells
insulin pumps and related products. It was not know what type of
information was contained in the patient records.
"While we found no evidence of a breach or inadvertent
disclosure of the patient records, we were unable to locate them
for retrieval," the document said.
It said the U.S. Department of Health and Human Services had
questioned Medtronic about the loss of the records, and that the
company provided the agency with information on the problem and
its data security practices.
Medtronic officials could not be reached to elaborate on the
contents of the 10-K filing, which did not identify the other
companies involved in the breach.
Tom Kellermann, chief security officer with Trend Micro Inc
, which makes security software, said the cybersecurity
of medical device makers tends to lag behind industries such as
banking and defense contractors.
"The security posture of most device manufacturers is in
critical condition," said Kellermann, who was not privy to
details of the attack on Medtronic.
He said medical device makers focus too much on complying
with government regulations for securing patient information
with data encryption, but they fail to properly monitor and
secure internal networks to identify and stop hackers who get
past traditional firewalls and anti-virus software.
Medtronic's disclosure came less than a week after
announcing plans to buy Dublin-based Covidien Plc for
The Covidien deal, announced on June 15, would create a
close competitor in size to the medical device business of
industry leader Johnson & Johnson Co.
Shares in Minneapolis-based Medtronic fell 1.2 percent to
$63.89 in mid-day trade, while the S&P 500 Index was up
(Editing by Jeffrey Benkoe)