Medtronic Italia – €300,000 Fine (Italy, 2024)

The Medtronic Diabetes is a medical technology firm focused on innovation of diabetes solutions such as developing the MiniMed Mobile app which displays insulin pump and continuous glucose monitoring data. The app offers a direct connection with patient's healthcare provider through a 'CareLink' Personal software. The team member of the firm emailed users of the MiniMed Mobile app in different countries within and outside the EU. The purpose was to notify them about a server maintenance update and the steps needed to regain access to the 'CareLink' Personal software as part of this update. The member of the team included the recipients’ e-mail addresses in the ‘To’ field instead of the ‘Bcc’ field which stands for ‘Blind Carbon Copy’. As a result, around 5,000 email addresses of MiniMed Mobile app users worldwide were exposed, including 732 in Italy. The email notification didn't contain personal data, but recipients' email addresses were visible. Medtronic swiftly notified the breach to the Italian DPA, attempting to recall all emails and instructing affected users to delete them. After the incident, the controller re-trained staff on email notification procedures and started implementing an automated tool to prevent such incidents in the future. These email addresses were in some cases made up of a combination of first name and surname of the data subject, which made it possible to identify the person in question, thus indirectly disclosing data relating to their health within the meaning of Article 9 GDPR. The controller stressed that the content of the e-mail did not include any personal data but revealed that the recipients were users of the MiniMed Mobile app. Based on this notification of the incident, the DPA requested further preliminary information. In this case, the DPA scrutinized the company's actions regarding the sharing of personal health data via email notifications to a large number of recipients. The DPA concluded that the company failed to