Licensed Producer under scrutiny for possible privacy breach of patient info

Reports are surfacing that Canadian licensed producer RedeCan is facing a privacy breach after a mass email to patients revealed their personal information to other patients.  Although officials from RedeCan have not commented publicly, an email from the LP to a patient impacted by the breach indicates the company has self-reported the breach to the Privacy Commissioner of Canada.

 

An email from RedeCan to patients whose information was part of the breach.  Source: RedeCan registered medical patient James from Hamilton, ON.

The LP was previously the subject of a voluntary recall last November when a lot of 13,344 units of 3.5 grams of dried flower sold in Ontario and BC was found to contain mold. RedeCan also faced complaints last year after some customers reported finding what appeared to be tiny bugs in their flower. The company responded to customers, saying they use persimilis, a tiny predatory mite, in lieu of pesticides to prevent outbreaks of crop-destroying pests such as spider mites.

James, a medical cannabis patient in Hamilton, Ont. who did not want his real name revealed in fear of his employer finding out he is a medical cannabis patient, registered with RedeCan as a medical user and received an email from the LP on March 5 welcoming him to the RedeCan family – an email that was cc’d to 115 other patients, including visible full names and email addresses. James says he had not completed the registration process and had only provided his prescription and contact information.

Once he received the email and noticed the other patients’ names, James immediately emailed the LP to inform them of the breach. But he also took to Reddit, posting screenshots of RedeCan’s correspondence.  To see the full Reddit thread – click here.

RedeCan has alerted patients about the breach

“It has come to our attention that an email communication was distributed to a group of recipients without using the blind copy function,” reads the email. “Please be assured that we are working diligently to address the issue as well as how this error occurred as well as how it can be prevented in the future. We value your business and place the highest importance on patient confidentiality.”

“We ask that you kindly refrain from using the “Reply All” function on the original email,” they wrote before directing affected patients to customer care. “We thank you for your patience and understanding as we work through this issue and encourage you to reach out to the email or phone number listed above.”  The email is signed “RedeCan Customer Care.”

James was appalled.

Screenshot of RedeCan notification to patients about the email data breach from Reddit thread.

James says, “I work in tech and we work in handling sensitive customer information all the time. So to see patient information handled in this way, let alone someone that’s just a retail customer was very, very, very alarming to me.”

Toronto cannabis lawyer Caryma Sa’d agrees.

“They should probably be revisiting whatever technology they’re using,” she said in an interview Friday.
“I would hope that in very short order the the LP would send a follow up email saying ‘Please delete the previous one, please destroy, do not use for any purpose. That would be kind of the bare minimum first step that they should be taking.’”

After James wrote to RedeCan he received an email from the company’s lawyer. The companies lawyer acknowledged via email correspondence receipt of James’ emails but did not respond to any of the questions and requested a phone call to discuss. When James called him, he was unable to answer questions relating to the privacy breach, and James asked to be referred back to the LP.

The GrowthOp reached out to both RedeCan and their legal council but did not receive a response by the time of publication.

 

Handle with care

Sa’d says that how a company handles errors such as these can make a big difference in how they are perceived.

“Reaching out to the individual patient, providing some level of reassurance that they’re doing everything a to make sure this never happens again and be to make sure that this specific breach isn’t capitalized on by someone.”

RedeCan has reported the breach to the Privacy Commissioner of Canada. The Privacy Commissioner of Canada oversees compliance for Personal Information Protection and Electronic Documents Act (PIPEDA) which outlines businesses requirements for handling sensitive customer information. While the Privacy Commissioner does investigate privacy breaches they cannot enforce. Depending on the outcome of their investigation and potential findings may be passed on to the Attorney General of Canada for prosecution. The severity of the breach will be determined based on the risk of significant harm to the customers whose information was shared such as identity theft and what information was shared. Under PIPEDA, companies are required to self-report, notify anyone affected by the breach and keep records of all breaches.

James says that he won’t let this bad experience sour his opinion about purchasing medication from licenced producers, but he believes that more regulations and better enforcement must be considered to protect Canadians’ privacy, particularly when handling sensitive information.  “I think that there needs to be better legislation around patient privacy information,” he says. “It doesn’t necessarily distort my confidence in LPs, more so in the Canadian government’s diligence and making sure that they’re operating in the way that medical organizations operate.”

The question of customer privacy for online cannabis sales has been raised several times since the legalization of adult-use cannabis in 2018 and previously Canada Post had reported a privacy breach shortly after legalization that effected approx. 4,500 recreational cannabis consumers.

 

Want to keep up to date on what’s happening in the world of cannabis? Subscribe to the Cannabis Post newsletter for weekly insights into the industry, what insiders will be talking about and content from across the Postmedia Network.