Content
Skip to Main ContentAccessibility Help
Saskatchewan

Hackers stole information of more than 7,000 people through Sask. health clinic breach

Saskatchewan's information and privacy commissioner says hackers obtained the medical and personal information of more than 7,000 people. The breach affected patient records stored electronically through four clinics run by the health-care company Innomar.

Data breach involved patient records from Sask. Innomar clinics: privacy commissioner

Adam Hunter · CBC News ·
A man is typing on a laptop that has a screen which shows many lines of code.
Hackers stole the information of 7,293 people by breaching private Innomar health clinics in Saskatchewan. (REDPIXEL.PL/Shutterstock)

Saskatchewan's information and privacy commissioner says hackers obtained the medical and personal information of more than 7,000 people.

The breach occurred earlier this year and affected patient records stored electronically through four clinics run by the health-care company Innomar in Saskatchewan. The hack did not affect Innomar's pharmacies in the province.

The private clinics provide lab testing and blood work and are located in Regina, Saskatoon, North Battleford and Prince Albert.

In his report, Information and Privacy Commissioner (IPC) Ronald Kruzeniski said that Innomar Strategies Inc. and its parent company Cencora learned on Feb. 21, 2024, that data from its system had been breached.

The first "unauthorized access" to its system had happened a month earlier. After Feb. 21, Innomar said it did not find any further breach.

On Apr. 21, 2024, Innomar found the following information had been "exfiltrated" from its system:

  • Names, addresses, dates of birth.
  • Height, weight.
  • Telephone number, email addresses.
  • Dates, location of services.
  • Health diagnosis/condition.
  • Medications/prescriptions.
  • Medical record number, patient numbers, health insurance/subscriber number.
  • Signature, lab results, and medical history.

The breach was reported to the IPC on May 9, 2024.

"Innomar proactively reported the privacy breach to my office, including how it believes that 7,293 individuals in Saskatchewan were affected by this breach," the report said.

The report found that Innomar "took reasonable steps to contain the breach."

Kruzeniski said there was a delay in reporting the breach to those affected. Innomar informed people through letters dated May 31, 2024.

"Innomar explained that although the exfiltration of data was discovered on Feb. 21, 2024, it did not determine that personal health information was exfiltrated until April 10, 2024," Kruzeniski said.

Kruzeniski said the breach happened in two stages.

"First, it appears that threat actors were able to gain access to a server of one of Cencora's affiliates. Then, based on the network segmentation arrangements at the time, the threat actors were able to obtain credentials to move laterally from the affiliate's systems to Innomar's systems."

The hackers then took the personal health information.

Kruzeniski said the company has taken steps to prevent a similar breach in the future.

Innomar offered credit monitoring services to affected individuals for two years. IPC recommended that be extended to a minimum of 10 years because, "data is easily stored by threat actors and they may release individuals' information at any time, especially when individuals least expect them to do so."

CBC's Journalistic Standards and Practices|About CBC News
Corrections and clarifications|Submit a news tip|

Related Stories