Hackers stole information of more than 7,000 people through Sask. health clinic breach

Saskatchewan’s Information and Privacy Commissioner has revealed that a cyber attack resulted in the unauthorized access of medical and personal information of over 7,000 individuals earlier this year. The breach specifically targeted patient records stored electronically by four clinics operated by Innomar, a healthcare company in Saskatchewan. Fortunately, the breach did not impact Innomar’s pharmacies within the province.

The affected private clinics, located in Regina, Saskatoon, North Battleford, and Prince Albert, offer services such as lab testing and blood work. The breach was discovered by Innomar and its parent company, Cencora, on February 21, 2024, although the initial unauthorized access occurred a month prior. Following the discovery, Innomar stated that no further breaches were detected.

On April 21, 2024, Innomar identified the data that had been compromised, including names, addresses, dates of birth, health diagnoses, medications, and more. The breach was reported to the Information and Privacy Commissioner on May 9, 2024. The Commissioner noted that Innomar took appropriate steps to contain the breach but criticized the delay in notifying affected individuals, with letters only sent out on May 31, 2024.

The breach occurred in two stages, with threat actors gaining access to a server of one of Cencora’s affiliates before moving laterally to access Innomar’s systems. The hackers were able to extract personal health information during this process. In response, Innomar has implemented measures to prevent future breaches.

To assist those affected, Innomar offered credit monitoring services for two years. However, the Commissioner recommended extending this to a minimum of 10 years due to the potential long-term risks associated with stolen data. The ease of storing and releasing individuals’ information by threat actors underscores the importance of ongoing vigilance and protection measures in the digital age.