Vulnerability Discovered in Medtronic Encore and CareLink Programmers

ICS-CERT issued a bulletin regarding a vulnerability that was found in some Medtronic CareLink and Encore Programmers. Any personally identifiable information (PII) and protected health information (PHI) that the devices contain could potentially be accessed due to the absence of encryption for information at rest.

The programmers are utilized for programming and managing Medtronic cardiac devices in hospitals and may store reports that contain patients’ PII/PHI. If an attacker has physical access to a vulnerable programmer, it would be possible to gain access to the reports and see the patients’ PII/PHI. Attackers with a low skill level could potentially exploit the vulnerability, although not remotely.

Whitescope LLC, security researchers Billy Rios and Jonathan Butts discovered the vulnerability (CVE-2018-18984). They discovered that the programmers lack encryption for stored PII/PHI or the encryption is not sufficient. The vulnerability was given a CVSS V3 base rating of 4.6.

The vulnerability is found in all 29901 Encore Programmers, CareLink 2090 Programmers, and CareLink 9790 Programmers.

Medtronic recommended all hospitals stop using CareLink 9790 Programmers as they have reached end-of-life and are no longer supported. CareLink 2090 and 29901 Encore Programmers should only have PII/PHI stored for a short period of time. The programmers should only store patient data temporarily until it can be transferred to other medical systems or printed out.

All affected programmers allow the manual deletion of reports with PII/PHI when they’re no longer required. Users of the Programmers should also erase all PII/PHI from the devices prior to scrapping the devices.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Medtronic likewise advised users to ensure Programmers are physically secured at all times and never to use Programmers supplied by third parties. Programmers should only be obtained from official suppliers.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: