[BreachExchange] Vancouver pot dispensary patient data breach highlights regulatory haze

Audrey McNeil audrey at riskbasedsecurity.com
Fri Aug 11 14:20:43 EDT 2017


http://vancouversun.com/news/local-news/dan-fumano-vancouver-pot-dispensary-
patient-data-breach-highlights-regulatory-haze

Sensitive patient data supplied to a Vancouver cannabis dispensary has been
either mishandled or — according to the shop’s owner — stolen, a situation
again highlighting the cloud of confusion over the regulation of retail pot.

Most people in stereotypically weed-friendly Vancouver, it seems, don’t
have a problem with dispensaries. A Nanos poll of Vancouverites last year
found only 14 per cent supported banning medical dispensaries.

But the city’s decision to take the lead in Canada by licensing a
still-illegal industry has contributed to a regulatory haze where many in
Vancouver — including cannabis users and non-consumers alike, and even
those involved in the weed business — have expressed confusion about the
state of affairs while Canadians await federal legislation expected to
legalize non-medicinal marijuana next year.

A tipster recently contacted Postmedia to say he’d found a computer memory
card in a Vancouver alley, containing more than 1,000 photos of people
taken inside a west-side dispensary, as well as digital copies of private
medical documents. Postmedia has reviewed the contents of the memory card
to confirm its contents, but is not identifying the dispensary, because it
was not immediately possible to confirm how the disk was obtained. The
tipster who provided the disk said he was unsure if it ended up in the
alley due to negligence or “some criminal act that led to the memory card
being stolen or otherwise taken from the dispensary.”

Thursday, after Postmedia told the dispensary’s owner of the data leak, he
immediately reported it to the Vancouver Police.

The shop owner said all patient information is stored on a secure, internal
system, and “the only way someone would be able to get this information is
stealing it from us. … I hope we can get to the bottom of who actually
stole it.”

Whether a case of negligence or theft, it raises questions about the
oversight of a multi-million dollar business that’s above-the-counter in
Vancouver, but against the law as far as Ottawa’s concerned.

The people’s photos on the disk, which appear to have been taken for
membership cards or some similar purpose, show a cross-section of hundreds
of apparent  weed consumers, men and women who appear to range in age from
their early 20s through middle age to several senior citizens. Some are
dressed casually, while others are in more formal office attire.

The disk also included photos of medical documents, including copies of
prescriptions and pill bottle labels for drugs commonly prescribed to treat
a range of physical and mental conditions, including painful muscle spasms,
depression, anxiety, bipolar disorder, bowel conditions and heart
disorders. Patients’ name were legible on each of those photos of
documents, and some include other identifying information.

The incident follows a different breach last year originating with another
Vancouver dispensary, one that led to an investigation by B.C.’s privacy
watchdog and a public warning from Health Canada. In October, Postmedia
reported that sensitive patient data had been publicly viewable through the
website of an East Van dispensary called the Vancouver Pain Management
Society.

Breaches of sensitive information have happened before medical labs,
hospitals and government agencies in Canada.

But one thing differentiating dispensary cases is these are businesses to
whom customers entrust sensitive data, but instead of being regulated by
senior levels of government, Ottawa actively discourage people from
trusting them.

So it raises the question of who holds dispensaries accountable if they are
negligent with medical data.

The Office of the Information and Privacy Commissioner for B.C.
investigated last year’s breach. Reached this week, an office spokeswoman
said the investigation had closed, but the office “does not disclose the
results of our investigations and therefore cannot comment further.”

Asked whether the office could issue sanctions or discipline organizations
found to be breaching privacy rules, spokeswoman Jane Zatylny said “the
Commissioner can order an organization to stop disclosing the information.”

However, it was not clear whether the office could discipline an
organization found to be negligent in mishandling private information.

Last year’s dispensary breach (which, like this week’s leak, was brought to
the attention of Postmedia by a tipster) prompted Health Canada to issue a
statement “to reiterate that all dispensaries selling cannabis are illegal
(and) function outside of Health Canada’s regulatory framework. … As such,
it would be inappropriate for Health Canada to comment on the
record-keeping and management practices of these illegal entities.”

Responding to this week’s leak, a Health Canada spokesman said last year’s
statement “still applies.”

Similarly, a City of Vancouver spokesman said this week the city’s position
hasn’t changed since last October’s statement, which said: “Oversight on
patient data would not fall under the jurisdiction of the city (similar to
health clinics and hospitals in the city) and so it is not referred to in
our bylaws.”

But, it could be argued that the city’s decision to create a licensing
structure for illegal businesses has helped give them a veneer of
legitimacy.

The two Vancouver dispensaries involved in the recent data breaches are
both working their way through the city’s licensing program: last year,
city hall reportedly issued Vancouver Pain Management Society its
development permit (the last stage in the process before the business
licence) the month after Postmedia first reported its data breach.

In the 10 months since then, different levels of government have stuck to
their positions that dispensary data oversight isn’t their responsibility.
And a cloudy situation’s not getting any clearer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170811/a2bab2a5/attachment.html>


More information about the BreachExchange mailing list