Cyber Incident Victim: National Health Service
Date:
Dec 2018
Location:
Canada
Summary
A data breach at a Canadian healthcare provider exposed personal and medical information of approximately 34,000 medical marijuana patients, including diagnostic results and healthcare identifiers. The incident involved unauthorized access to an electronic medical records system, compromising contact details but no financial data as such information was not collected. The organization's president issued a public apology and stated enhanced security measures were being implemented. A class-action lawsuit was proposed on behalf of affected individuals, while a separate unrelated breach by a postal service previously leaked data for thousands of cannabis users.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A significant cyber incident occurred at Canada's Natural Health Services (NHS), a company that operates a chain of medical marijuana clinics across the country. The breach resulted in the exposure of personal information belonging to approximately 34,000 medical marijuana users. The incident involved an electronic medical record system used by NHS and its parent company, Sunniva. This system was compromised, allowing unauthorized access to sensitive patient data.
The breach was particularly concerning due to the nature of the information that was stolen. Diagnostic results, healthcare numbers, and personal contact information were all exposed, potentially putting patients at risk of identity theft and other forms of exploitation. However, it is worth noting that the company did not collect credit card or social insurance details, which limited the scope of financial damage that could be caused by the breach.
The incident was reported to have occurred over a period of time, rather than being a single event. This suggests that the attackers may have had ongoing access to the system, potentially allowing them to extract data over an extended period. The fact that the breach was not immediately detected raises concerns about the company's cybersecurity measures and its ability to identify and respond to potential threats.
The breach has had significant consequences for NHS and its patients. A proposed class-action lawsuit has been filed on behalf of affected individuals, seeking compensation for the harm caused by the breach. The lawsuit alleges that NHS failed to adequately protect patient data, and that the company's negligence led to the breach. The lawsuit also seeks to hold Sunniva, the parent company, liable for the breach.
The incident has also raised questions about the security of electronic medical record systems, which are increasingly being used by healthcare providers to store sensitive patient data. These systems are attractive targets for hackers, who can use the data to commit identity theft, insurance fraud, and other forms of cybercrime. The breach highlights the need for healthcare providers to prioritize cybersecurity and implement robust measures to protect patient data.
The breach has also had reputational consequences for NHS, which has faced criticism for its handling of the incident. The company has apologized for the breach and has stated that it is taking steps to prevent similar incidents in the future. However, the breach has likely damaged the trust between NHS and its patients, which could have long-term consequences for the company.
The incident has also raised concerns about the regulatory environment surrounding medical marijuana in Canada. The breach highlights the need for clear regulations and guidelines for the protection of patient data in the medical marijuana industry. The incident has also raised questions about the role of government in regulating the industry and ensuring that companies are taking adequate steps to protect patient data.
The breach at NHS is a significant incident that highlights the risks associated with storing sensitive patient data in electronic medical record systems. The incident has had significant consequences for the company and its patients, and has raised questions about the security of these systems and the regulatory environment surrounding medical marijuana in Canada. The incident serves as a reminder of the need for healthcare providers to prioritize cybersecurity and implement robust measures to protect patient data.