DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Colorado medical marijuana patients protest privacy breaches

Posted on August 22, 2013 by Dissent

Kristen Wyatt of Associated Press reports:

Medical marijuana patients asked Colorado health authorities on Wednesday to destroy and rebuild the state’s 107,000-person marijuana patient registry because of security breaches.

The Board of Health unanimously rejected the emergency petition. But officials expressed alarm about a recent state audit showing the Colorado Department of Health and Environment isn’t keeping the registry confidential, as required by law.

Read more about their concerns on Kansas City Star.  On the registry’s home page, there’s the following statement about computer security:

The Colorado Department of Public Health and Environment takes the role of data security seriously and incorporates all statutory requirements in its computer systems. The computer system used by the Medical Marijuana Registry (MMR) uses the same computer security methods that are used by the computer system housing birth records. Only MMR employees have access to the MMR computer system, and that access is controlled by defined roles. For example, an employee can only access the portion of the MMR computer system necessary to perform the functions of his/her job.

Statute requires that the department respond to law enforcement inquiries to verify that an MMR certificate is valid. MMR employees manually look up records for law enforcement using procedures that comply with Colorado law. The department is working with law enforcement to automate those queries. Any future automated queries will be subject to the same submission requirements as the current manual inquiries, and the information released in response to such inquiries would be identical to what is currently being supplied manually. All queries will be recorded and logged for audit purposes.

An audit published in June, however, found significant problems with protection of the confidential information of patients, physicians, and caregivers:

Overall, we identified three main problems related to Public Health’s management of confidential Registry data: (1) lack of controls over contractors and staff of other state departments whom Public Health has authorized to access confidential Registry data; (2) access by law enforcement officials/agencies of confidential Registry data under circumstances that the Colorado Constitution does not appear to allow; and (3) confidential data breaches.

The audit also identified a number of database control issues, including lack of ability to log who was accessing and/or making changes to records in the registry. The state agreed with many of the findings and recommendations in the audit, but noted that it was not feasible, given the current system, to make the recommended database control changes and that they would investigate procuring another system that would enable such controls. The auditor responded:

The Medical Marijuana Registry is a confidential registry intended to maintain an accurate record of individuals authorized to use marijuana for medical purposes. If modifying the system that currently houses the Registry is not possible, Public Health should take immediate steps to implement other controls to address risks identified in the audit. Public Health should not wait until it has explored options to procure a new system to strengthen controls over the sensitive data in the Registry.

Indeed.

Category: Health Data

Post navigation

← San Francisco State College of Extended Learning reports breach; one of 500 entities breached
CMS: One Hour to Report HIX Security Incidents →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.