[BreachExchange] Medical cannabis users’ suffer data breach

Destry Winant destry at riskbasedsecurity.com
Tue Mar 26 10:13:47 EDT 2019


Natural Health Services, the operator of Canada’s largest referral
network of medical cannabis patients, recently suffered a data breach
that exposed customers’ personal information like medical diagnoses,
referrals, encounter notes, and allergies.

The Calgary-based health center stated that unknown intruders
allegedly accessed personal health records between December 4, 2018,
and January 7, 2019. However, the company clarified that patient
prescriptions, financial, credit card or social insurance numbers
weren’t compromised in the incident.

“NHS identified that a number of records containing personal health
information in the electronic medical record (EMR) system we use were
accessed without the authorization of NHS physicians for purposes that
may be unrelated to providing medical care,” the company said in a
statement. “NHS is working with law enforcement and the Information
and Privacy Commissioner of Alberta to investigate this matter. NHS is
undertaking all necessary steps to work with the respective provincial
privacy commissioners to ensure that this does not happen again.”

The company stated that it notified the affected clients and suggested
them to monitor for any unusual activity in their transactions with
financial institutions.

In a similar incident, the University of Connecticut Health Center
recently suffered a breach that potentially compromised personal data
of around 326,000 individuals. In an official statement, the health
center stated that unknown intruders accessed the email accounts of
several UConn Health employees on December 24, 2018, affecting 326,000
patients’ information.

UConn Health provides health services to the citizens of Connecticut
through innovative integration of research, education, and clinical
care. The Connecticut-based academic medical center stated the
breached data includes, names, dates of birth, addresses, social
security numbers, billing and appointment information, and other
medical information.

The health center stated that it’s enhancing the security of the
impacted accounts to prevent further unauthorized access. It also
notified the law enforcement and retained a forensic security firm to
investigate for any personal information in the impacted email

More information about the BreachExchange mailing list