A data breach involving the personal health information of around 34,000 Canadian medical cannabis users exposes the victims to future fraud, despite not including payment details, a cybersecurity expert has said.

The medical cannabis data breach affected an electronic medical record system used by Natural Health Services, which is owned by Sunniva.

It included personal contact details, key medical data and medical correspondence, as well as Canadian healthcare card numbers. However, it did not include financial data.

Despite this, there are concerns that the data could be combined with other breach data to scam victims or otherwise obtain access to their accounts.

“Any breach of personal information is an opening for potential future fraud. A stolen name and email address can be combined with other personally identifiable information (PII) from other hacks and breaches, to amass even more detailed profiles of users that are traded and sold to other hackers and fraudsters,” explained Don Duncan, director of business development at NuData Security, a Mastercard company.

“For example, with enough data collected from separate breaches, a fraudster can gain access to enough financial and personal information to enable the successful application for a new credit card or loan, or even takeover of an existing consumer financial account.”

Medical cannabis data breach prompts recommendation for behavioural analytics

Duncan argued that this data breach highlights the need for additional levels of security that prevent the affected data from being used as a tool to gain access to financial accounts.

“Behavioural analytics can provide victims of a data breach with an extra layer of protection even after a hack like what happened to the Natural Health Service has occurred. We need to put a stop to these fraudsters in an entirely passive and non–intrusive way by building barriers to the fraudsters,” he said.

“We do this by learning how a legitimate user interacts with the online world around them, in contrast to a potential fraudster who uses valid consumer information stolen from intrusions and data breaches.

“Passive biometric technologies are highly accurate and impersonation resistant, making it possible to predict and prevent fraud from occurring in real time – without interrupting a user’s experience.”


Read more: Toyota data breach shows cybersecurity “no longer a human-scale problem”