Canadian health and law enforcement officials are dealing with a massive data breach that exposed the private information of roughly 34,000 medical cannabis patients between December and January. The breach allowed unauthorized access to the electronic medical record system of Natural Health Services Ltd., a subsidiary of Sunniva Inc. Over the past week, Natural Health Services has been informing patients about the privacy breach and the information it leaked. While Sunniva is working with NHS and police to investigate the origin of the leak, one law firm has already proposed a class-action lawsuit against the company.
Data Breach Exposes All Private Medical Data Stored on Patient Registry
Medical cannabis patient registries are a necessity for any regulated programs. But as with any database of sensitive information, patients have to trust that the entities responsible for safeguarding their personal data have taken the necessary precautions. At the same time, even the most secure systems can still be exploited by anyone with the requisite resources and expertise.
In the case of the NHS/Sunniva medical marijuana patient breach impacting more than 34,000 Canadians, whoever breached the database gained access to all of the information stored therein. Fortunately for patients, the NHS registry doesn’t collect any financial data. So patients’ credit card information, social insurance numbers and bank account info were never on the servers to begin with.
Instead, the breach involved everything related to patients’ medical cannabis authorization. And that means personal, private medical data like diagnostic and test results, health-care identification numbers and personal contract information.
Privacy Issues Plague Canada’s Medical Cannabis Program
The unauthorized access of 34,000 medical marijuana patients’ private health data raises a number of privacy and security concerns. Canada’s medical cannabis laws include broad protections for patients to shield them from discrimination and ensure access to their medicine. Still, employees have faced sanction and other consequences despite those protections. And some workers, like those in transportation or other security sensitive sectors, don’t enjoy full protection for their medical use of cannabis.
In short, the data breach puts 34,000 medical cannabis patients at potential risk. To field questions from patients about the leak and how to address it, the NHS has set up a dedicated hotline, at 1-888-297-0573.
But with privacy issues continuing to plague Canada’s medical cannabis program, one law firm is eyeing a class-action lawsuit to compel companies to better-safeguard patient information. This week, personal injury firm Diamond and Diamond announced a proposed lawsuit against both NHS and Sunniva.
Late last year, the Ontario Cannabis Store reported a major customer privacy breach of its own, impacting mostly retail customers. In November, an unauthorized individual accessed the names, home addresses and other identifying information of more than 4,500 OCS customers. That breach involved a database belonging to the Canada Post postal service.
The system-wide issue affected Canada Post’s entire delivery tracking system, showing who purchased cannabis and where they had it delivered. It took Canadian officials nearly a week to inform customers about the breach. Sunniva and NHS took several weeks to spot the breach and inform patients registered in its system. Natural Health Services, based in Alberta, runs seven clinics in Canada. “We value our patients and understand the importance of protecting personal information and apologize,” NHS president Dr. Mark Kimmins said in statement.