According to a report from the Saskatchewan Information and Privacy Commissioner, 7,293 people in Saskatchewan were affected by a massive privacy breach at Innomar Strategies Inc. and the commissioner recommended the company increase its offering to clients.
In February, a data breach was found at Cencora, Innomar’s parent company, and the report from Ronald J. Kruzeniski, Saskatchewan’s privacy commissioner, said the hackers found their way into Innomar’s systems. According to its website, Innomar owns and operates pharmacies in Prince Albert and Regina, and medical clinics in Regina, Saskatoon, and North Battleford.
Read More:
- Sask. Privacy Commissioner explains snooping breaches
- Sask. ignoring info requests from privacy commissioner: report
- SHA reprimanded for not following information access request rules
According to the commissioner’s report, the data compromised in the breach included names, addresses, birthdates, height and weight measurements, telephone numbers, email addresses, health history, information on medications and prescriptions, medical records and patient numbers, health insurance numbers, signatures, and lab results.
Innomar reported the privacy breach to the commissioner in May, about a month after it determined what information had been taken.
Kruzeniski found Innomar took all of the steps required to properly respond to and contain the breach and prevent it from happening again, including segmenting its systems away from its parent company’s and mailing notification letters to the people affected.
The commissioner wrote that some people might have wanted to be told sooner, but said he accepted that notifying all the people in Saskatchewan and Canada who were affected could cause delays.
Innomar offered those whose information was taken free credit monitoring services for two years, but Kruzeniski recommended Innomar up that to a minimum of 10 years.
Previously, the commissioner’s officer has recommended offering five years of credit monitoring, but he said he’s recently increased that.
“Data is easily stored by threat actors and they may release individuals’ information at any time, especially when individuals least expect them to do so,” wrote Kruzeniski in his report.
Cencora reportedly paid $75 million dollars to the hackers to get back the information that was taken. When it was reported, it was called the largest known payment after a ransomware attack.