DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Colorado medical marijuana patients protest privacy breaches

Posted on August 22, 2013 by Dissent

Kristen Wyatt of Associated Press reports:

Medical marijuana patients asked Colorado health authorities on Wednesday to destroy and rebuild the state’s 107,000-person marijuana patient registry because of security breaches.

The Board of Health unanimously rejected the emergency petition. But officials expressed alarm about a recent state audit showing the Colorado Department of Health and Environment isn’t keeping the registry confidential, as required by law.

Read more about their concerns on Kansas City Star.  On the registry’s home page, there’s the following statement about computer security:

The Colorado Department of Public Health and Environment takes the role of data security seriously and incorporates all statutory requirements in its computer systems. The computer system used by the Medical Marijuana Registry (MMR) uses the same computer security methods that are used by the computer system housing birth records. Only MMR employees have access to the MMR computer system, and that access is controlled by defined roles. For example, an employee can only access the portion of the MMR computer system necessary to perform the functions of his/her job.

Statute requires that the department respond to law enforcement inquiries to verify that an MMR certificate is valid. MMR employees manually look up records for law enforcement using procedures that comply with Colorado law. The department is working with law enforcement to automate those queries. Any future automated queries will be subject to the same submission requirements as the current manual inquiries, and the information released in response to such inquiries would be identical to what is currently being supplied manually. All queries will be recorded and logged for audit purposes.

An audit published in June, however, found significant problems with protection of the confidential information of patients, physicians, and caregivers:

Overall, we identified three main problems related to Public Health’s management of confidential Registry data: (1) lack of controls over contractors and staff of other state departments whom Public Health has authorized to access confidential Registry data; (2) access by law enforcement officials/agencies of confidential Registry data under circumstances that the Colorado Constitution does not appear to allow; and (3) confidential data breaches.

The audit also identified a number of database control issues, including lack of ability to log who was accessing and/or making changes to records in the registry. The state agreed with many of the findings and recommendations in the audit, but noted that it was not feasible, given the current system, to make the recommended database control changes and that they would investigate procuring another system that would enable such controls. The auditor responded:

The Medical Marijuana Registry is a confidential registry intended to maintain an accurate record of individuals authorized to use marijuana for medical purposes. If modifying the system that currently houses the Registry is not possible, Public Health should take immediate steps to implement other controls to address risks identified in the audit. Public Health should not wait until it has explored options to procure a new system to strengthen controls over the sensitive data in the Registry.

Indeed.

Category: Health Data

Post navigation

← San Francisco State College of Extended Learning reports breach; one of 500 entities breached
CMS: One Hour to Report HIX Security Incidents →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.