Over 7,000 patients in Saskatchewan had their intimate medical information breached by hackers, according to the province’s privacy watchdog. In a report last week, the Saskatchewan Information and Privacy Commissioner wrote that the breach was proactively disclosed to his office by Innomar, which operates four clinics and a pharmacy in the province — situated in Regina, Saskatoon and Prince Albert. According to Innomar, its parent company Cencora learned that data had been stolen from its system around February 2024, which it took steps to contain, and reported to provincial commissioner Ron Kruzeniski in May, 2024. The information obtained by the hackers was extensive — names, addresses, birthdates, height, weight, phone number, email address, service locations, health conditions, prescription information, patient numbers, health insurance subscriber number, signature, lab results and medical history. The breach did not affect the pharmacy in Saskatchewan, only the four clinics, which provide lab testing and blood work. When it reached out to Kruzeniski’s office in May, Innomar said it took immediate steps to contain the breach and sought help from law enforcement and cybersecurity experts. Innomar said it rotated credentials for all accounts in its system, disabled any accounts found to be compromised, identified the initial point of entry and blocked “all known indicators of compromise.” “There has been no observed unauthorized activity since these containment steps were completed on February 21, 2024 and there is no evidence of ongoing unauthorized activity,” the company told the privacy commission. All those affected by the breach — 7,293 people in Saskatchewan alone — were sent letters disclosing what happened, Kruzeniski writes. Although some patients weren’t contacted until more than 100 days after the breach, Kruzeniski argues the company should be able to get its facts straight before contacting everyone affected. He found Innomar did appropriately notify everyone affected by the privacy breach. Innomar has offered to pay for credit monitoring for the affected patients for two years, but in his report, Kruzeniski recommends the company pay for a minimum of ten years of credit monitoring.
|