An undisclosed number of clients of a Calgary-based medical cannabis referral agency have had their personal medical information compromised in an electronic data breach, the company says.
Natural Health Services Ltd., which operates Canadaâs largest referral network of medical cannabis patients, informed clients last week that their personal health records had been accessed without authorization between Dec. 4, 2018, and Jan. 7, 2019. The breach could include data ranging from basic personal information to medical diagnoses, referrals, encounter notes and allergies.
However, patient prescriptions were not accessed, the company said.
âNHS identified that a number of records containing personal health information in the electronic medical record (EMR) system we use were accessed without the authorization of NHS physicians for purposes that may be unrelated to providing medical care,â the company said in a statement.
An email that went to affected clients noted financial, credit card or social insurance numbers werenât compromised, as that information is not obtained from patients.
The company, which operates clinics in seven Canadian cities from Calgary to Windsor, said it has initiated its own privacy investigation while filing breach reports with privacy commissioners in Alberta, Saskatchewan, Manitoba and Ontario. Police have also been notified.
âNHS is working with law enforcement and the Information and Privacy Commissioner of Alberta to investigate this matter. NHS is undertaking all necessary steps to work with the respective provincial privacy commissioners to ensure that this does not happen again.â
The company wouldnât say how many clients may have been affected.
Scott Sibbald, a spokesman with Albertaâs privacy commissionerâs office, confirmed theyâve been made aware of the breach and have had a few phone calls from affected clients.
However, he noted the agency has yet to post the information on its own website as it can take some time to gather the necessary information before posting a public breach report.
In the email that was issued to clients, the company advised those affected to monitor for any unusual activity in transactions with financial institutions or government agencies and report them immediately.
They also warned clients to be wary of companies with which theyâve have had no previous dealings contacting them to sell products and services.
Under Albertaâs Health Information Act, affected clients are entitled to register a complaint with the privacy commissionerâs office.
NHS has set up its own dedicated hotline to field patient inquiries at 1-888-297-0573.
On Twitter: @ShawnLogan403