Pubdate: Tue, 11 Oct 2016
Source: Vancouver Sun (CN BC)
Copyright: 2016 Postmedia Network Inc.
Author: Dan Fumano
Page: A3


Birth certificates, medical imaging, passports, prescriptions, biopsy
reports, mental health assessments and more - the personal information
and medical records of an unknown number of patients were publicly
available on the website of a Vancouver marijuana dispensary until

It is not clear whether the information was exposed accidentally or
for some malicious purpose. Dispensary management said they had
notified the Office of the Information and Privacy Commissioner of
B.C., who confirmed an investigation was underway.

The situation prompted Health Canada to reiterate warnings about
cannabis dispensaries, which are illegal under federal law.

Issues of privacy and pot made headlines last week after Ottawa's
largest marijuana dispensary chain apologized to customers for
accidentally revealing email addresses. The scope of the Vancouver
dispensary's records goes beyond patients' names and emails, including
scans of medical records and identifying documents belonging to
Canadians from several provinces.

Late last month, a tipster told Postmedia the information was publicly
accessible, without a password, on the website of the Vancouver Pain
Management Society.

A reporter reviewed some records on the website, and within days, the
vulnerability appeared to be closed and that part of the website was
no longer viewable last Monday. Tuesday and Wednesday, Postmedia
emailed the dispensary and spoke by phone to a manager, but did not
get a response to questions. Wednesday, a reporter visited the
Commercial Drive storefront in person.

Vancouver Pain Management eventually referred the questions by email
to a lawyer on Wednesday. By Thursday, the Vancouver Pain Management
website had been locked down and replaced with a message notifying
members about "the possibility of a minimal breach."

"As a precaution, we have temporarily disabled all access to our
website, and cleared any and all data from our servers while we
investigate. At this time, we have no evidence that a breach has
occurred, but as we take your security as a top concern, we felt it
prudent to inform you immediately," the message said.

Thursday afternoon, a statement from an unnamed manager of Vancouver
Pain Management was delivered through their legal counsel's office,
saying they had been unaware of the situation until Postmedia phoned
last week.

"Immediate steps were taken to shut down any access," the statement
said, and "all potentially affected patients were notified of a
potential privacy breach on Oct. 5."

Only patients who applied online for society membership, required to
buy pot, were at potential risk, the statement said. The dispensary's
representatives declined to answer how many people that could be.

Last week's email stated that an initial investigation indicated that
no one other than a Postmedia reporter had accessed information
"during the alleged breach."

The nature of the exposed information raises a serious security
concern, said Hart Brown, a U.S. cybersecurity expert and
self-described ethical hacker with HUB International, who was in
Vancouver last week for a data breach conference.

"Medical information is typically more valuable on the black market
than your credit card or your financial information," Brown said.

Some municipalities, including Vancouver and Victoria, have moved to
license dispensaries in light of the federal government's promise to
introduce marijuana legalization legislation next year. But some
critics say the cities' attempts at regulating retail pot have created

While Vancouver's regulations mandate zoning issues (like minimum
distance between dispensaries and schools), they don't touch on data

Many Canadians are unclear about the differences between dispensaries
and licensed producers, said Colette Rivet, executive director of the
Cannabis Canada Association, which represents most licensed producers.

Vancouver's approach to licensing dispensaries gives the businesses an
appearance of legitimacy and security, Rivet said, creating "confusion
for the general public."

"There is some liability for the city here," she said.

Vancouver Coun. Kerry Jang disagreed the city's approach had created

"We made it very clear that what we were doing was simply a means of
managing access, but it is up to the patient and their relationship
with whatever dispensary if they wish to hand over any information,"
he said.

Jang said criticisms from licensed producers are motivated by their
business interests. He also criticized Health Canada for not
fulfilling its responsibility, saying their office should warn Canadians.

City spokesman Tobin Postma wrote in an email: "Oversight on patient
data would not fall under the jurisdiction of the city … and so it is
not referred to in our bylaws."

Echoing some language from an announcement last month, Health Canada
spokeswoman Renelle Briand wrote in an email that "Health Canada would
like to reiterate that all dispensaries selling cannabis are illegal
. As such, it would be inappropriate for Health Canada to comment on
the record-keeping and management practices of these illegal entities."

"The government of Canada has issued numerous statements to warn the
public that they should not be purchasing products from dispensaries
or other organizations and individuals that are operating illegally,"
Briand wrote.

The only legal sources of medical cannabis are licensed producers who,
the Health Canada statement said, "must protect the personal
information of registered clients through safe and secure
record-keeping and management of personal documents in accordance with
relevant federal and provincial privacy legislation."

Vancouver Pain Management is working through Vancouver's development
application process after a successful board of variance hearing in
the summer. The society's full application was received last month, a
city spokesman said, and it was expected to appear on the city's
development application website within days.

A sign appearing in the shop's window this week says the dispensary is
going through the review process to get a city licence.
- ---
MAP posted-by: Matt