Privacy Breach at Ontario LP Puts Patient Information at Risk
A user of the popular website Reddit claims that over 100 names and addresses of other medical cannabis patients were sent to him by licensed producer of cannabis Redecan after he registered with them to obtain medical cannabis.
The medical cannabis patient posted on the /CanadianCannabisLPs “subreddit” that full names and e-mail addresses of 115 people were sent to him in the CC line of a welcome email the company sent him on March 5.The user also posted a screenshot of an email response he claims the company sent him.
“It has come to our attention that an email communication was distributed by a group of recipients without using the blind copy function. Please be assured we are working diligently to address the issue and identify how this error occurred as well as how it can be prevented in the future.”
The email later asks users to, “kindly refrain from using the ‘Reply All’ function on the original email and direct all concerns to our Chief Administration Officer.”
The incident comes on the heels of an incident in Nov. 2018 in which Reddit users reported sightings of what appeared to be mould and bug in their purchases of the company’s cannabis sold through the Ontario Cannabis Store website.
Shortly afterwards, in response to reports of mould sightings, the company issued a type II voluntary recall for a specific batch of a strain.
The company addressed the sightings of alleged bug differently, telling BNN Bloomberg and CTV News on November 22, 2018 that customers had seen “harmless, non-volatile organic matter,” terming them “protein carbohydrates.”
The next day, however, the company admitted that they use a predatory mite called persimilis to aid in preventing spider mites from destroying the crop. It is unclear if this is what customers had observed in their cannabis.
The latest incident, an apparent privacy breach, could land the cannabis company in hot water. The company would likely avoid charges under the federal Personal Information Protection Act and Electronic Documents Act since they must have ‘knowingly’ violated provisions in the Act.
Similarly, although the company is subject to Ontario’s Personal Health Information Protection Act, the prosecution would have to show that the personal information was revealed “willingly” and that the information in question constituted “personal health information.”
However, the Privacy Commission of Canada could investigate the company’s practices if deem it necessary.
In addition, Ontario’s appellate court first recognized a tort for invasion of privacy in 2013, meaning affected patients might be able to sue the company.
The reddit user confirmed his Reddit posts to Leafly via phone on Friday.
“I have a prescription with another LP and I had hoped things would be better at Redecan so I could purchase from a small company near [where I live].”
After the incident, the user wanted their medical documentation to be transferred to another licensed federal seller of medical cannabis, but the company only offered to return the medical document to his doctor because the company had not fully registered him by that point.
“Redecan would be happy to return your medical document to your doctor with a notice indicating that it acknowledges that the returned medical document now constitutes the original,” the response allegedly read.
“Your record with Redecan would then be disabled and no further correspondence would be initiated.”
The company did not return a request for comment by press time.