A proposed class-action lawsuit has been launched against Natural Health Services, a chain of medical cannabis clinics with locations in four provinces, including Manitoba, whose patients' personal medical information was exposed in a digital data breach.
A letter sent to NHS clients in recent weeks says the company's electronic medical record software was "accessed without authorization" sometime between Dec. 4, 2018, and Jan. 7. NHS said the breach didn't expose any financial information, but did include identifying information such as names, addresses and phone numbers, as well as health-care numbers and medical information such as diagnoses and medical questionnaires.
NHS filed a police report about the breach Jan. 31, the letter says. It also filed reports with provincial privacy authorities in Alberta, Saskatchewan, Manitoba and Ontario. The company says it has started its own internal investigation, and has worked to "improve the protection of patient personal health information."
The breach affected the records of about 34,000 patients, said NHS parent company Sunniva Inc. in a news release.
"We have been working with privacy protection and law enforcement authorities to investigate and respond to this breach," said NHS president Dr. Mark Kimmins in an emailed statement.
"The investigation is ongoing and we cannot comment further on it, or this litigation, other than to say that that we will be defending this action."
A spokesperson for the Manitoba ombudsman said they are aware of the breach and "will assess what steps may be taken."
The lawsuit against NHS is being brought by Toronto-based law firm Diamond and Diamond. The proposed lead plaintiff is an Ontario woman named Adele Worley-Burns.
According to a statement of claim filed March 20 in the Ontario Superior Court of Justice, Worley-Burns was referred to NHS by her doctor to get assessed for a medical cannabis prescription, and filled out the clinic's intake questionnaire online before booking an appointment.
She ultimately cancelled that appointment, because she was worried using medical cannabis might make it hard for her to enter the United States. Even so, Worley-Burns received a letter from NHS on March 15 warning her data had been compromised.
"She is now even more concerned about who has her information and what this will mean for her," says the statement of claim.
Natural Health Services didn't meet its legal obligations to protect patients' medical information, said attorney Darryl Singer, head of civil and commercial litigation with Diamond and Diamond.
"It failed, so the legal term is they were negligent, in that they didn't have the appropriate safeguards in place to ensure that that information wouldn't be compromised," he said.
Singer argues the data breach at NHS is more serious than other recent high-profile data breaches, like the 2018 revelation Facebook users' personal information was collected by political consultancy Cambridge Analytica, or the 2015 theft of user information from extramarital dating website Ashley Madison.
"This goes even further, because what NHS has... is medical information, the most sensitive and personal information, that we don't now know who has it, or where it is."
Singer expects hundreds or even thousands of NHS clients could be interested in joining the lawsuit, and said his firm has been contacted "by literally dozens of them, just since yesterday."
The lawsuit has not been certified as a class action, and the allegations against NHS and Sunniva have not been tested in court.
Medical cannabis clinics have proliferated across Canada in recent years, although they don't directly provide marijuana to patients. Instead, doctors at clinics such as Natural Health Services assess a patient's condition and decide whether they should be authorized to access the drug through Health Canada's legal medical cannabis regime. Approved patients are usually signed up with government-licensed cannabis producers, who sell them medical cannabis products directly.
The severity of the data breach at NHS remains in question, according to David Masson, Canada country manager for cybersecurity firm Darktrace.
"For all we know, maybe only seven people had their records accessed," he said. "But what's probably the case is, it was possible that 34,000 records had been accessed, but (they) don't actually know how many. And so, unfortunately, the company has to defer to the possibility that they were all accessed."
Medical cannabis users who use cannabis clinics shouldn't be afraid to ask questions about what's being done with their digital medical information, added Masson.
"What are you going to do with it? How do you store it?... They should be asking, and not necessarily just taking at face value what the company says about it."
Your support has enabled us to provide free access to stories about COVID-19 because we believe everyone deserves trusted and critical information during the pandemic.
Our readership has contributed additional funding to give Free Press online subscriptions to those that can’t afford one in these extraordinary times — giving new readers the opportunity to see beyond the headlines and connect with other stories about their community.
To those who have made donations, thank you.
To those able to give and share our journalism with others, please Pay it Forward.
The Free Press has shared COVID-19 stories free of charge because we believe everyone deserves access to trusted and critical information during the pandemic.
While we stand by this decision, it has undoubtedly affected our bottom line.
After nearly 150 years of reporting on our city, we don’t want to stop any time soon. With your support, we’ll be able to forge ahead with our journalistic mission.
If you believe in an independent, transparent, and democratic press, please consider subscribing today.
We understand that some readers cannot afford a subscription during these difficult times and invite them to apply for a free digital subscription through our Pay it Forward program.
Updated on Friday, March 29, 2019 at 7:14 AM CDT: Updated