Data breach exposes diagnosis data of 34,000 medical marijuana patients

An electronic system used by a Canadian service and its parent company was compromised.
Written by Charlie Osborne, Contributing Writer

A data breach at Canada's Natural Health Services (NHS) has exposed personal information belonging to roughly 34,000 medical marijuana users.

As reported by the Canadian Press,  an electronic medical record system used by both NHS and its parent company Sunniva was at the heart of the breach. 

It has not been revealed who or what may have been responsible but the incident occurred between 4 December 2018 and January 7, 2019.

See also: Hijacked ASUS Live Update software installs backdoors on countless PCs worldwide

Diagnostic results, healthcare numbers, and personal contact information have been exposed. 

However, the company does not collect any credit card or social insurance details and so these forms of financial and personally identifiable information (PII) are safe.

CNET: Mueller report: Everything we know about the Trump-Russia investigation

NHS's Windsor location was involved in the breach. The company operates a total of seven clinics across Windsor, Alberta, Saskatchewan, Manitoba, and Ontario. The Windsor clinic opened in May 2018.

"We value our patients and understand the importance of protecting personal information and apologize to the patients whose personal information has been improperly accessed and for any frustration or inconvenience that this may cause," NHS president Dr. Mark Kimmins told the CP. "We are taking this situation very seriously and are taking the necessary steps to prevent a situation like this from happening again."

Personal injury firm Diamond and Diamond has proposed a class-action lawsuit on behalf of those affected.

TechRepublic: Even if your data is stored in the cloud, you need to back it up

This is not the first time -- nor probably the last -- when marijuana users have found themselves embroiled in a data breach. 

In November, Canada Post, based in Ontario, Canada, leaked information belonging to 4,500 customers of the Ontario Cannabis Store (OCS), which offers recreational marijuana which is now legal in the city.

An unnamed individual was able to access the order records of the customers and as such, customer data including names, nominated signatories, postcodes, reference numbers, and dates of delivery were compromised. 

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Previous and related coverage

Editorial standards