The FDA has identified this as a Class I recall, the most serious type of recall. Use of these devices may cause serious injuries or death
- MiniMed Model 500 and 503 Remote Controllers (MMT-500 and MMT-503)
- Distribution Dates: August 6, 1999 to July 24, 2018
- Devices Recalled in the U.S.: 1117
- Date Initiated by Firm: August 7, 2018
People who have diabetes may use the MiniMed insulin pump to deliver insulin for the management of their diabetes. The pump system includes an optional remote controller device which is designed to communicate wirelessly with the pump to deliver a specific amount of insulin to the person with diabetes.
Reason for Recall
Medtronic is recalling the specified remote controllers due to potential cybersecurity risks. An unauthorized person (someone other than a patient, patient caregiver, or health care provider) could potentially record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialized equipment, an unauthorized person could instruct the pump to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis, even death.
To date, the FDA is not aware of any reports of patient harm related to these potential cybersecurity risks.
Who May be Affected
- Any person who uses the remote controller feature with an affected Medtronic MiniMed insulin pump
- Healthcare providers who treat people with diabetes who use remote controllers associated with affected MiniMed insulin pumps
What to Do
On August 7, 2018, Medtronic notified affected customers. Medtronic instructed patients on how to protect the security of their MiniMed insulin pump given the cybersecurity vulnerabilities of the remote controllers.
Patients should stop using the remote controller and turn off the Easy Bolus™ feature.
If use of the remote controller is essential for insulin delivery, despite the identified cybersecurity risks, Medtronic advises to use the following precautions:
- Turn off Easy Bolus™ feature when not intending to use the remote bolus option
- Be attentive to the pump alerts, especially when the easy bolus option is turned on, and immediately cancel any unintended bolus
- Do not connect to any third-party devices not authorized by Medtronic
If customers have never programmed a remote controller ID into their pump and never programmed the Easy Bolus option, they will not be impacted by this vulnerability.
To minimize the potential of a cybersecurity attack, Medtronic has advised patients to:
- Keep their insulin pump and the devices that are connected to their pump within their control at all times whenever possible.
- Do not share their pump serial number.
- Be attentive to pump notifications, alarms, and alerts.
- Monitor their blood glucose levels closely and act appropriately.
- Immediately cancel any unintended boluses.
- Connect their Medtronic insulin pump to other Medtronic devices and software only.
- Disconnect the USB device from their computer when they are not using it to download data from their pump.
Patients and healthcare providers should also be aware of other cybersecurity issues related to specified Medtronic MiniMed Insulin Pumps which were communicated in the FDA Safety Communication from June 27, 2019.
Get medical help right away if they:
- Have symptoms of severe hypoglycemia (such as excessive sweating, feeling very tired, dizzy and weak, being pale, and a sudden feeling of hunger).
- Have symptoms of diabetic ketoacidosis (such as excessive thirst, frequent urination, nausea and vomiting, feeling very tired and weak, shortness of breath).
- Think your insulin pump settings or insulin delivery changed unexpectedly.
Customers who have questions or need additional information or support about this recall should call the 24-hour Medtronic Technical Support at 800-646-4633.
- Medical Device Recall Database Entry
- Medtronic Patient Letter
- Medtronic Security Bulletin
- Department of Homeland Security Cybersecurity Infrastructure Security Advisory
- FDA Safety Communication: Certain Medtronic MiniMed Insulin Pumps Have Potential Cybersecurity Risks
- FDA News Release
How do I report a problem?
Health care professionals and consumers may report adverse reactions or quality problems they experienced using these devices to MedWatch: The FDA Safety Information and Adverse Event Reporting Program either online, by regular mail or by FAX.