Medical Device
Data Theft

The Lyon Firm is actively involved in Health Data Misuse Class Action Lawsuits on behalf of consumers nationwide.
Nationwide Success

Health Data Privacy Lawyer

Reviewing connected medical device data theft cases

As pacemakers, insulin pumps and other medical devices become more advanced, they are produced with software that connects to the internet, hospital networks and mobile devices. Thus, it is more important than even to make sure medical devices are secure.

Some hospitals in the U.S. report 10 to 15 connected medical devices per patient bed, with hundreds of thousands of connected medical devices operating in large hospital systems. When there is a security breach, things can get out of hand very quickly, impacting hundreds of thousands of individuals.

Modern medical devices carry security risks that many patients have not been aware of until relatively recently. But seeing as many medical devices are connected to the Internet, hospitals and other healthcare providers have a duty to protect health information that may be stored on networks.

In a report dated back in 2014, the FBI stated cyber actors will likely increase data intrusions against health care systems, including connected
medical devices, due to the mandatory transition from paper files to electronic health records (EHR), subpar cybersecurity standards, and a higher financial payout for medical records on the black market.

There is no doubt that connected medical devices provide features that improve health care and instant health awareness, but they must be treated carefully, as though they carry the risk of potential cybersecurity threats.

Like other computer systems, medical devices are vulnerable to security breaches, not only potentially impacting patient safety but other data theft risks and identity theft.

Data breach threats and medical device cybersecurity is a challenging new area of litigation. Attorneys say device manufacturers, hospitals, and healthcare management may all be liable for health data theft or mismanagement.

The Lyon Firm is currently investigating data theft and healthcare data privacy cases and reviewing identity theft claims for plaintiffs nationwide.

Medical Device Data Privacy

Medical device connectivity carries data breach risks, and when hackers gain access to connected medical devices or a larger network of health data, that personal information may forever be compromised. Personal health information includes the following:

The U.S. Food and Drug Administration (FDA) has released safety communications highlighting instances where connected medical devices were found to be vulnerable to hackers. The vulnerabilities have turned into reality for thousands of patients across America. Healthcare data breach events are seen almost daily nationwide.

According to the FDA, when breaches occur, medical device manufacturers are responsible for negligent security of the devices they produce. Healthcare providers, in turn, share responsibility in addressing patient safety risks that may develop, and must design a reasonable security system to protect personal data.

What data do medical devices process?

Connected medical devices store and process the health data of patients, caregivers and medical professionals. When the data is handled or transmitted to cloud services, more risks may exist, allowing a leak or a hack.

A common function of connected medical devices is the transmission of information to another device or dashboard. There are several points where hackers can access information, therefore extremely difficult to secure. Still, medical device manufacturers and health care delivery organizations must ensure appropriate safeguards exist.

FDA Medical Device Warnings

  • Jude Medical recalled Implantable Cardioverter Defibrillators (ICD) and Cardiac Resynchronization Therapy Defibrillators (CRT-D) due to premature battery depletion. The FDA found that this transmitter was vulnerable to cyberattack.
  • The FDA and Hospira became aware of cybersecurity vulnerabilities in theseSymbiq Infusion SystemExternalinfusion systems after an independent researcher released information about these vulnerabilities.
  • The FDA has become aware of potential cybersecurity risks in certain Medtronic MiniMed Paradigm insulin pumps.

Medical Device Data Breach Lawsuits

Consumer safety attorneys are taking on new class action data privacy violation cases every day. While companies collect, store, share, and sell your personal data, consumers often see their privacy compromised.

Cybersecurity may take a backseat to company profit and growth, and instances of data misuse are increasingly common. There are many new questions surrounding what companies can legally do with data they collect from their clients, but only a handful of states have actually signed consumer data privacy protections into law.

How secure are data systems? Judging by the huge number of data breaches announced each year, it is safe to say online privacy and cybersecurity needs some improvement on several fronts. Beyond the security and theft of personal data lies more concerns: data misuse and privacy violations.

Personal data privacy violations can be the basis for class action data misuse lawsuits, and The Lyon Firm aims to protect consumer privacy rights. If you have been the target of data theft, personal data misuse or data privacy violations, call for a free consultation. You may be eligible to join existing data privacy class actions and compensation may be available.

What Medical Devices are Vulnerable?

New technologies are now applied to all kinds of devices—those especially at risk are connected devices that are implantable or wearable.

Hospitals try to improve care and efficiency by using more devices that share data, though this has certain risks as we have seen with hundreds of healthcare facilities targeted in cyberattacks. 

Anytime a medical device has software and relies on a wireless connection, it’s potentially vulnerable to cyber threats, especially if the device is older. 

Does the FDA Regulate Medical Device Data Security?

The U.S. Food and Drug Administration (FDA) regulates medical devices and works to reduce cybersecurity risks in a rapidly changing healthcare environment. The FDA shares this responsibility with device manufacturers, hospitals, health care providers and patients.

The FDA provides guidance to help manufacturers design and maintain secure products. The FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks. 

If a vulnerability in software, hardware or other factor that could pose a risk is identified, the FDA may issue a “safety communication” and recommended actions patients, providers and manufacturers can take. 

How to Reimagine Cybersecurity With Your Medical Device

Tips to protect your device and personal information:

  • Use good password practices on your device. 
  • Keep your device within your physical control
  • Only connect your device to other devices and software if the device manufacturer or your health care provider indicate it is okay to do so. 
  • Keep your device updated. Updates may have useful things to protect you like patches or fixes for new cybersecurity risks.  
  • Check in with your device manufacturer or health care provider about other best practices specific to your device.


    Please complete the form below for a FREE consultation.

    • This field is for validation purposes and should be left unchanged.


    Joseph Lyon has 17 years of experience representing individuals in complex litigation matters. He has represented individuals in every state against many of the largest companies in the world.

    The Firm focuses on single-event civil cases and class actions involving corporate neglect & fraud, toxic exposure, product defects & recalls, medical malpractice, and invasion of privacy.


    The Firm offers contingency fees, advancing all costs of the litigation, and accepting the full financial risk, allowing our clients full access to the legal system while reducing the financial stress while they focus on their healthcare and financial needs.

    photo of data privacy attorney Joe Lyon
    Reviewing Data Theft & Data Misuse Claims

    Why are Data Privacy Cases important?

    Without personal data privacy violation class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty. By holding companies accountable for safely storing your personal information, every consumer will have more control over how their data is used in the future. 


    • This field is for validation purposes and should be left unchanged.

    Questions About Data Privacy Lawsuits

    What to do if you are a victim of data Misuse
    1. Get confirmation of the data theft or misuse and collect as many details about the incident as possible. 
    2. Contact an attorney to investigate the complex litigation involved in data privacy lawsuits. 
    3. Try to find out what information was exposed and protect yourself as much as possible. 
    4. Talk to an attorney before accepting any settlement direct from a company. 
    5. Monitor your accounts and personal information closely. 
    Can I get compensation for data theft?

    Yes, in most cases. However, each case is different, but some recent lawsuits have proven to be quite valuable. In one data theft suit, Ohio Attorney General and attorneys general in other states obtained a $17.5 million settlement against The Home Depot due to a data breach in 2014. The settlement resolves a multistate data breach which exposed the payment card information of approximately 40 million Home Depot consumers.

    The Home Depot data breach made vulnerable the company’s self-checkout point-of-sale system. In addition to the $17.5 million settlement, The Home Depot has agreed to improve network security and maintain data security practices in order to strengthen its data security program and protect the personal information of consumers.

    Who is liable for data misuse?

    Under current privacy law the firm or organization that is storing user data are responsible for data breaches and will pay any fines or damages that are the result of legal action. The actual data holder—an organization that provides cloud storage—is not usually legally implicated or held responsible in litigation. 

    How can I prevent data misuse?

    It’s not as easy as just alerting companies to stop collecting and selling your personal information, but you can take certain steps to protect yourself, including:

    • Opt out of data collection practices if possible
    • Review your credit report
    • Use strong and different passwords for all of your accounts
    • Do not offer your personal information unless necessary
    • Check bank accounts for suspicious activity
    • Limit how exposed you are on social media
    • Speak with a cybersecurity attorney
    what is BIPA?

    Lawmakers established the Illinois Biometric Information Privacy Act (BIPA) in 2008 in response to the growing use concern of biometric data misuse. The Act seeks to help regulate the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”

    According to the BIPA, biometric identifiers may include:

    • Retina or iris scan
    • Fingerprint
    • Voiceprint
    • Scan of hand
    • Face geometry

    The BIPA addresses the retention, collection, disclosure, and destruction of personal biometric data. Private entities collecting biometric data must inform subjects of the data collection and provide the specific purpose and the length of the collection term. The subject must provide a written release.

    Under the BIPA, any person harmed by a privacy violation has a right of legal action. Plaintiffs may recover damages of $1,000, and for intentional or reckless violations, up to $5,000 in liquidated damages or actual damages, whichever is greater.

    What is a Class Action Lawsuit?

    A Class Action is a lawsuit brought by an individual on behalf of all other similarly situated individuals. Rule 23 of the Federal and State Rules of Civil Procedure allows for Class Action lawsuits to resolve disputes in an efficient format.

    Class Actions are typically filed when the amount of money in dispute for a single plaintiff would not justify litigating the case, but where the amount of damages of the entire class of Plaintiffs would justify the cost of litigation. Without class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty.

    What are class action requirements?

    In order for a case to be certified as a Class Action, the Court must determine that the case is appropriate for class action treatment under Rule 23. There are different elements depending on whether the case is seeking monetary or injunctive relief. In general, the Court must find the following elements are satisfied:

    • Numerosity: The proposed class must be so numerous that simply joining the individual plaintiffs would be impractical. Generally, the class size should exceed 100 individuals.
    • Common Questions of Law or Fact: The facts and/or legal questions in the dispute must be common to all class members. This does not mean all facts or issues must be identical, but the primary facts and law that will determine the issue in dispute must be common among all class members.
    • Typicality: The named Plaintiff in the case must have the same facts and legal issues as the class they are proposing to represent. If the Plaintiff’s individual case involves issues of fact or law unique to that Plaintiff and are irrelevant to the ultimate issue, class certification may be denied by the Court.
    • Plaintiff/Counsel Adequately Represents the Class: The Court must find that the Plaintiff and Plaintiff’s Counsel are competent and will protect the class’ interests.
    • Predominance: Common questions of fact predominate over individual facts.
    • Superiority: The Class Action is a more efficient and fair means of resolving the dispute. The Court will look at the following factors when making this determination: (1) Class Member interest in maintaining a separate action; (2) the extent of any litigation already begun by other class members; (3) desirability or undesirability of litigating the case in a particular Court ; (4) difficulties in managing the class.
    When Should I contact The Lyon Firm?

    Protecting sensitive personal information is getting more and more difficult, but that doesn’t mean it’s not possible. By forcing companies to become accountable for their lack of cybersecurity measures following data misuse and data breach incidents, consumers will have a more secure future.

    Large companies control vast amounts of data, leaving nearly all Americans at risk when their personal data is compromised. If your financial, medical, or consumer information is misused, you may file a data privacy violation claim.

    What are some examples of data privacy lawsuits?

    The majority of BIPA lawsuits are filed against employers who utilize biometric timekeeping systems with fingerprint or facial recognition scans, and collect the employee biometric data.

    Motorola, Clearview AI and Vigilant are facing legal action for allegedly collecting mugshots that were used by law enforcement. Microsoft, Amazon, Alphabet, and FaceFirst Inc. are alleged to have violated privacy laws by collecting photos for facial recognition data from the website, Flickr.

    A proposed class action alleges Ring, LLC has failed to protect the privacy of its motion-activated cameras and the personal information of its customers. The complaint alleges Ring’s devices are rife with security vulnerabilities, which may compromise the personal data of existing and future customers.

    Cyber criminals may have the potential to hack into Ring devices and home networks. The lawsuit aos brings to light the fact that Ring has shared users’ personal identifying information with third parties without first obtaining prior consent. The complaint says the devices are not well-equipped to deal with potential hacks.

    Plaintiffs in the case want Ring to take additional security measures to protect the privacy of user accounts and installed devices, as well as stop sharing personal data without clear and informed consent.

    Reports have surfaced that several user accounts and devices were hacked, and plaintiffs argue the company was late in addressing security issues.

    Beyond the security issues, Ring permits third parties to track users, raising eyebrows from consumer safety and data privacy advocates.


    Your Right to Justice

    Learn About the Legal Process

    Filing Class Action lawsuits is a complex and serious legal course and can carry monetary sanctions if proper legal course is not followed. The Lyon Firm is dedicated to assisting injured plaintiffs work toward a financial solution to assist in compensating for medical expenses or other damages sustained.

    We work with law firms across the country to provide the most resources possible and to build your case into a valuable settlement. The current legal environment is favorable for consumers involved in data breach class actions, deceptive marketing lawsuits, TCPA telemarketing claims, and financial negligence claims.

    © The Lyon Firm. ALL RIGHTS RESERVED