24 x 7 World News

Hackers stole information of more than 7,000 people through Sask. health clinic breach

0

Saskatchewan’s information and privacy commissioner says hackers obtained the medical and personal information of more than 7,000 people.

The breach occurred earlier this year and affected patient records┬аstored electronically through four clinics run by the health-care company Innomar┬аin Saskatchewan.┬аThe hack did not affect┬аInnomar’s pharmacies in the province.

The private clinics provide lab testing and blood work and are located in Regina, Saskatoon, North Battleford┬аand Prince Albert.

In his report, Information and Privacy Commissioner (IPC) Ronald Kruzeniski said that Innomar Strategies Inc. and its parent company Cencora learned on Feb. 21, 2024, that data from its system had been breached.

The first “unauthorized access” to its system had happened a month earlier. After Feb. 21, Innomar said it did not find any further breach.

On Apr. 21, 2024, Innomar found the following information had been “exfiltrated” from its system:

  • Names, addresses, dates of birth.
  • Height, weight.
  • Telephone number, email addresses.
  • Dates, location of services.
  • Health diagnosis/condition.
  • Medications/prescriptions.
  • Medical record number, patient numbers, health insurance/subscriber number.
  • Signature, lab results, and medical history.

The breach was reported to the IPC┬аon May 9, 2024.

“Innomar proactively reported the privacy breach to my office, including how it believes that 7,293 individuals in Saskatchewan were affected by this breach,” the report said.

The report found that Innomar “took reasonable steps to contain the breach.”

Kruzeniski said there was a delay in reporting the breach to those affected. Innomar informed people through letters dated May 31, 2024.

“Innomar explained that although the exfiltration of data was discovered on Feb. 21, 2024, it did not determine that personal health information was exfiltrated until April 10, 2024,”┬аKruzeniski said.

Kruzeniski said the breach happened in two stages.

“First, it appears that threat actors were able to gain access to a server of one of Cencora’s affiliates. Then, based on the network segmentation arrangements at the time, the threat actors were able to obtain credentials to move laterally from the affiliate’s systems to Innomar’s systems.”

The hackers then took┬аthe personal health information.

Kruzeniski said the company has taken steps to prevent a similar breach in the future.

Innomar offered credit monitoring services to affected individuals for two years.┬аIPC recommended that be extended to a minimum of 10 years because, “data is easily stored by threat actors and they may release individuals’ information at any time, especially when individuals least expect them to do so.”

Leave a Reply