[BreachExchange] Winnipeg-based online pharmacy warns of data breach

[Destry Winant]

https://www.itworldcanada.com/article/winnipeg-based-online-pharmacy-warns-of-data-breach/426207

A Winnipeg-based online pharmacy is still offline after telling
customers their information including medications and medical history
may have been compromised in a security incident.

As of Friday morning PlanetDrugsDirect.com hasn’t been reachable for
over 36 hours, shortly after Bleeping Computer broke the news that an
unknown number of people were being notified. The company says it has
400,000 customers.

The site’s home page displays an error message as well as the
statement, “This website is using a security service to protect itself
from online attacks.”

Earlier in the week, the site offered a 1-888 number for customers to
call for information. This morning when the number was dialled from
Toronto a recorded message said it was not available from that calling
area.

The notice to customers says what may have been exposed is the
person’s “name, mailing address, e-mail address, telephone number(s),
occupation, employment status, referral source, the name of your
primary physician (and his or her contact information), age, height,
weight, sex, date of birth, the existence and types of drug allergies,
medications requested, family medical history information, your
personal medical history information, details of your existing
medications, credit card information (including card type and number,
expiry date and name of cardholder) and prescription information.”

Customers are being asked to monitor their bank and credit card
accounts for suspicious activity.

The company says people can “buy cheap prescription medications safely
online by a Canadian prescription referral service and have your order
filled by a licensed international pharmacy.”

Created in 2001, PlanetDrugsDirect.com is one of a wide number of
websites offering medicinal drugs around the world, particularly to
the U.S., because prices are lower here.

In a 2014 press release the site called itself “a trusted online
pharmacy offering service from Canada that provides 100 per cent safe
prescription and non-prescription drugs at affordable prices with
maximum protection and privacy of its customers. Hundreds of
compliments are received every month from the existing happy customers
along with increasing likes and shares on social media sites such as
Facebook, Google+ and Twitter.”

The company also regularly mentions that it is a member of the
Canadian International Pharmacy Association (CIPA), an industry
association of licenced pharmacies.

“The most worrisome part of this breach is that hackers had access to
patient contact information, medications taken, and payment
information,” said Robert Capps, vice-president of market innovation
for Vancouver-based NuData Security, a Mastercard company. “All this
data could provide cybercriminals with enough information to craft
fake email messages reminding them of a refill, for example, to trick
victims into ordering prescription refills from untrusted sources – of
fake ones.  Consumers should be wary of any emails that appear to come
from a pharmacy and should avoid clicking links in such emails. We
advise that consumers access their prescription drug reordering via
the official website of their provider.

“Healthcare information has become increasingly valuable to
cybercriminals, and there is a real risk that this and other stolen
data could be used by an attacker to access a consumer’s healthcare
organization. Healthcare organizations need to mitigate the damages of
such breaches by verifying users by their online behaviour instead of
the credentials that have been stolen by cybercriminals.”