Up in Smoke: Marijuana Dispensary Data Breach

Some Vancouver marijuana dispensary customers’ privacy went up in smoke when their medical records were publicly exposed on the dispensary’s website. Scanned medical documents, passports, prescriptions, birth certificates, mental health reports, biopsy results, and other records were unprotected on the Vancouver Pain Management Society website. The site is offline, and the Office of the Information and Privacy Commissioner of British Colombia is investigating.

Not the First Time 

Just a few days before this breach came to light, Ottawa’s biggest dispensary chain exposed customer email addresses. Magna Terra Health Services fired the employee who sent an email containing 470 medical cannabis customers’ email addresses. But this time, Canadians from several provinces are effected and the damage could be much more severe. The Pain Management Society isn’t saying how many customers are affected.

The Politics of Pot 

Health Canada regulates 35 legal, licensed producers selling mail-order cannabis. There are over 80,000 customers of this strictly regulated industry. Some areas, such as Vancouver, license dispensaries ahead of legalization. Any business selling cannabis, other than one of those 35 producers, is breaking the law. This distinction is not always clear to consumers, and dispensaries do not have to follow any privacy or data protection policies required of producers.

Data Privacy in Canada

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is federal legislation governing collection, use, and disclosure of personal information by private sector organizations including health institutions. Explicit consent from individuals is necessary before disclosing personal information. PIPEDA incorporates the ten privacy principles put in place by the Canadian Standards Association:

  • Accountability
  • Identifying Purposes
  • Consent
  • Limiting Collection
  • Limiting Use
  • Disclosure and Retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual Access

According to PIPEDA, personal information is defined as:

  • Factual or subjective information, recorded or unrecorded, about an individual
  • Name, race, ethnicity, religion, marital status, education level
  • E-mail addresses, e-mail messages, IP addresses
  • Medical records
  • Financial information
  • Social Insurance Number (SIN)

Several provinces have their own information privacy legislation. For example, in Ontario, personal health data are shielded by the Personal Health Information Protection Act (PHIPA). PHIPA specifically addresses the collection, use and disclosure of protected health information without getting in the way of providers delivering healthcare services. In instances where there are conflicts between PHIPA and the federal PIPEDA, PHIPA prevails unless if it is possible to uphold both legislations.

Ongoing Investigation 

Back at the Vancouver Pain Management Society, a sign hangs in the window stating the dispensary is applying for a city license. The company is directing all questions about the breach to lawyers, and it remains to be seen if the data leak will result in identity theft or other headaches for customers.


Medical information including records, prescriptions, and diagnoses was unprotected and exposed on a Canadian medical marijuana dispensary’s website. Patient data also included birth certificates and passports. The Vancouver Pain Management Society took their site down when notified of the breach. Just days earlier, Ottawa’s biggest dispensary chain exposed their clients’ data by emailing 470 customer email addresses. It is only legal in Canada for licensed producers, not dispensaries, to sell cannabis. Therefore, dispensaries are not following federal legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), governing personal information disclosure.

CIPP Exam Preparation 

In preparation for the Canadian Certified Information Privacy Professional (CIPP/C) Exam, a privacy professional should be comfortable with topics related to this post, including:

  • Enforcement Agencies and Powers, Privacy Commissioners (I.A.c.i.1.))
  • Types of Personal Information (I.B.a.iii.)
  • The Personal Information Protection and Electronic Documents Act of Canada (II.A.a.)
  • The Personal Health Information Protection Act (II.C.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>