Skip to content
Join our Newsletter
Join our Newsletter

Privacy breach on pot dispensary website reveals medical data

Birth certificates, medical imaging, passports, prescriptions, biopsy reports, mental health assessments and more — the personal information and medical records of an unknown number of patients were publicly available on the website of a Vancouver ma
Vancouver Pain Management society on Commercial Drive in Vancouver. Personal and medical records of an unknown number of patients were publicly available on its website, until the company fixed the vulnerability within the past week.

Birth certificates, medical imaging, passports, prescriptions, biopsy reports, mental health assessments and more — the personal information and medical records of an unknown number of patients were publicly available on the website of a Vancouver marijuana dispensary until recently.

It is not clear whether the information was exposed accidentally or for some malicious purpose. Dispensary management said they had notified the Office of the Information and Privacy Commissioner of B.C., who confirmed an investigation was underway.

The breach prompted Health Canada to reiterate warnings about cannabis dispensaries, which are still illegal under federal law.

Issues of privacy and pot made headlines last week after Ottawa’s largest marijuana dispensary chain apologized to angry customers for accidentally revealing email addresses. The scope of the Vancouver dispensary’s records goes beyond patients’ names and emails, including scans of medical records and identifying documents belonging to Canadians from several provinces.

Late last month, a tipster told Postmedia that the information was publicly accessible, without a password, on the website of Vancouver Pain Management Society.

A reporter reviewed some records on the website, and within days, the vulnerability appeared to be closed and that part of the website was no longer viewable last Monday. Last Tuesday and Wednesday, Postmedia emailed the dispensary and spoke by phone to a manager, but did not get a response to questions. Last Wednesday, a reporter visited the Commercial Drive storefront in person.

Vancouver Pain Management eventually referred the questions by email to a lawyer on Wednesday. By last Thursday, the Vancouver Pain Management website had been locked down and replaced with a message notifying members about “the possibility of a minimal breach.”

“As a precaution we have temporarily disabled all access to our website, and cleared any and all data from our servers while we investigate. At this time, we have no evidence that a breach has occurred, but as we take your security as a top concern, we felt it prudent to inform you immediately,” the message said.

Last Thursday afternoon, a statement from an unnamed manager of Vancouver Pain Management was delivered through their legal counsel’s office, saying they had been unaware of the breach until Postmedia phoned last week.

“Immediate steps were taken to shut down any access,” said the statement, and “all potentially affected patients were notified of a potential privacy breach on Oct. 5.”

Only patients who applied online for society membership, required to buy pot, were at potential risk, the statement said. The dispensary’s representatives declined to answer how many people that could be.

Last week’s emailed stated that an initial investigation indicated that no one other than a Postmedia reporter had accessed information “during the alleged breach.”

The nature of the exposed information raises a serious security concern, said Hart Brown, a U.S. cybersecurity expert and “ethical hacker” with HUB International, who was in Vancouver last week for a data breach conference.

“Medical information is typically more valuable on the black market than your credit card or your financial information,” said Brown.

Some municipalities, including Vancouver and Victoria, have moved to license dispensaries ahead of the federal government’s planned introduction of marijuana legalization legislation next year. But some critics say the cities’ attempts at regulating retail pot have created confusion.

While Vancouver’s regulations mandate zoning issues (like minimum distance between dispensaries and schools), they don’t touch on data security.

Responses to the breach highlight the divide between Canada’s strictly regulated, legal medical marijuana business of 35 licensed producers selling cannabis by mail to about 82,000 registered patients and the illegal retail pot industry that has sprouted up across the country.

Many Canadians, even cannabis patients, are unclear about the differences between dispensaries and licensed producers, said Colette Rivet, executive director of the Cannabis Canada Association, the industry association representing most licensed producers.

Vancouver’s approach to licensing dispensaries gives the businesses an appearance of legitimacy and security, Rivet said, creating “confusion for the general public.”

“There is some liability for the city here,” she said.

Vancouver Coun. Kerry Jang disagreed the city’s approach had created confusion. “We made it very clear that what we were doing was simply a means of managing access, but it is up to the patient and their relationship with whatever dispensary if they wish to hand over any information.”

Jang said criticisms from licensed producers are motivated by their business interests. He also criticized Health Canada for not fulfilling its responsibility, saying their office should warn Canadians.

City spokesman Tobin Postma said in an email: “Oversight on patient data would not fall under the jurisdiction of the city (similar to health clinics and hospitals in the city) and so it is not referred to in our bylaws.”

Health Canada spokeswoman Renelle Briand said in an email, which echoed some language from an announcement last month: “Health Canada would like to reiterate that all dispensaries selling cannabis are illegal … As such, it would be inappropriate for Health Canada to comment on the record-keeping and management practices of these illegal entities. The government of Canada has issued numerous statements to warn the public that they should not be purchasing products from dispensaries or other organizations and individuals that are operating illegally.”

The only legal source of medical cannabis, the statement said, is licensed producers who “must protect the personal information of registered clients through safe and secure record-keeping and management of personal documents in accordance with relevant federal and provincial privacy legislation.”

Vancouver Pain Management is working through Vancouver’s development application process after a successful board of variance hearing in the summer. The society’s full application was received last month, a city spokesman said, and it was expected to appear on the city’s development application website within days. A sign appearing in the shop’s window this week explains the dispensary is going through the review process to get a city licence.