• A friendly and supportive community, register today. Our forums use a separate account system.

Clinics ⚠️ CB1 Medical: Patient/Clinic Data Breach

CB1 Medical have just taken a bunch of people with anxiety, mental health, depression, who use a highly stigmatised drug as a therapy that most patients have at least one person in their life they keep it secret from... the consequences of them finding out ranging from career loss to total familial breakdown... and posted their order history etc online. That is life changing.

This will almost certainly lead to blackmail and has the potential to lead victims into incredibly dark places.

This is disgusting - quite literally the opposite of what this clinic is supposed to do for its patients.

The only satisfactory outcome is that CB1 compensates everyone extremely generously then gets run out of town, because otherwise we're telling the other clinics "btw, it's fine to be this careless with some of the most sensitive which exists about us".
 
Moon said:
Okay so this was not a hack or data breach, which implies a bad actor ie member of staff leaked the old pdf export.
This is not as bas as M&S or the COOP or boots or the labour party breaches. I am in a class action against labour over that.
So I'm letting go, any bad actor in any clinic could do this.
Staying with CB1 Medical as was not hacked.
Click to expand...
CB1 don't know how the data was breached.

They don't think they were hacked but the fact they don't know how this came out infers they cannot be 100% confident they were not hacked.

Having been in this situation, you don't tell your consumers you were hacked unless it's undeniable.

I worked on one of the biggest B2B hacks in the last 5 years in the UK. Most of our customers still don't know what happened other than there was a significant data breach.
 
JDVaper said:
You'd think it was that easy lol ! I've sent email saying SIMU...
Click to expand...
Download the app, if they tried to reach you to book your appt you should be able to rebook in the app straight away.

Same thing happened to me this morning but I've just managed to get an 14:30 appt this afternoon
 
Moon said:
Okay so this was not a hack or data breach, which implies a bad actor ie member of staff leaked the old pdf export.
This is not as bas as M&S or the COOP or boots or the labour party breaches. I am in a class action against labour over that.
So I'm letting go, any bad actor in any clinic could do this.
Staying with CB1 Medical as was not hacked.
Click to expand...
This is wrong, clinics can very well have an influence over the likelihood of staff leaking data.

You can take technical measures against. You can increase the scrutiny in your hiring practices (some of the stories on this forum are mental, the standard of clinicians in this industry is awful). You can do your utmost to have a health workplace for staff to reduce the risk of brewing animosities and professional clashes, etc.

Good companies don't leak. When they do it's e-mail addresses and hashed passwords - not order history for a stigmatised mental health therapy.

And even if all clinics are indeed as exposed to this potentiality as you suggest, and CB1 just got unlucky to be the first, that doesn't mean there shouldn't be an industry-wide response that makes this less likely to happen again at any clinic. And other clinics are going to be much more likely to make an effective response if they see CB1 slide into the abyss for this gravest of data errors.

I would be much, much more sympathetic to a hack than just careless leaking. They don't even need an adversary to do us harm, they do it to us directly by themselves? Even in a world with no bad actors, this would still have happened? That's unacceptable.
 
BudGuy said:
This is wrong, clinics can very well have an influence over the likelihood of staff leaking data.

You can take technical measures against. You can increase the scrutiny in your hiring practices (some of the stories on this forum are mental, the standard of clinicians in this industry is awful). You can do your utmost to have a health workplace for staff to reduce the risk of brewing animosities and professional clashes, etc.

Good companies don't leak. When they do it's names and e-mail addresses - not order history for a stigmatised mental health therapy.

And even if all clinics are indeed as exposed to this potentiality as you suggest, and CB1 Medical just got unlucky to be the first, that doesn't mean there shouldn't be an industry-wide response that makes this less likely to happen again at any clinic. And other clinics are going to be much more likely to make an effective response if they see CB1 slide into the abyss for this gravest of data errors.

I would be much, much more sympathetic to a hack than just careless leaking. They don't even need an adversary to do us harm, they do it to us directly by themselves? Even in a world with no bad actors, this would still have happened? That's unacceptable.
Click to expand...
Probably venturing into fields I'm not overly knowledgeable here from a hands on perspective but these clinics should all be running a CRM that monitors which staff member accessed which files and it should all be logged to dissuade a rogue employee.
 
joint_account said:
CB1 Medical don't know how the data was breached.

They don't think they were hacked but the fact they don't know how this came out infers they cannot be 100% confident they were not hacked.

Having been in this situation, you don't tell your consumers you were hacked unless it's undeniable.

I worked on one of the biggest B2B hacks in the last 5 years in the UK. Most of our customers still don't know what happened other than there was a significant data breach.
Click to expand...
They dont know the full facts yet 💯. Until then I think we must just keep calm. I've checked my security and dark Web for any leaks of my information just in case but I do this pretty regularly anyway. I'm going to have a nice bowl and chill 😎
 
Dooby Doo said:
They dont know the full facts yet 💯. Until then I think we must just keep calm. I've checked my security and dark Web for any leaks of my information just in case but I do this pretty regularly anyway. I'm going to have a nice bowl and chill 😎
Click to expand...
I've just joined you with a bowl of TR which I'm gutted is running out :cry:
 
Dooby Doo said:
They dont know the full facts yet 💯. Until then I think we must just keep calm. I've checked my security and dark Web for any leaks of my information just in case but I do this pretty regularly anyway. I'm going to have a nice bowl and chill 😎
Click to expand...
That's certainly the right way to deal with it.

I'm not a patient, just very disappointed by how they've reacted to it all and how this appears to be there version of the MoD files being left at the bus stop.
 
Dooby Doo said:
I didn't know about the Labour Party breach, I'll have to see if I've overlooked an email from them
Click to expand...
Not from them, they leaked all members data back when starmer took over, and failed to report to ICO on time, so now a liverpool firm of solicitors is doing a class action, no fee no win.
 
Moon said:
Not from them, they leaked all members data back when starmer took over, and failed to report to ICO on time, so now a liverpool firm of solicitors is doing a class action, no fee no win.
Click to expand...
Mr Starmer doing something incompetent? I would never have guessed.
 
joint_account said:
CB1 Medical don't know how the data was breached.

They don't think they were hacked but the fact they don't know how this came out infers they cannot be 100% confident they were not hacked.

Having been in this situation, you don't tell your consumers you were hacked unless it's undeniable.

I worked on one of the biggest B2B hacks in the last 5 years in the UK. Most of our customers still don't know what happened other than there was a significant data breach.
Click to expand...
This is wrong. They now know they were not hacked, they know the pdf ended up in malicious hands after a system upgrade and data export. This is why the police are now involved, a bad actor took the pdf and leaked it. This is what they have communicated to me. So their system was robust enough, which may not be the case for all clinics. I work in IT and most data breaches are via a staff member / bad actor. This could happen to any clinic.
 
Last edited:
BudGuy said:
This is wrong, clinics can very well have an influence over the likelihood of staff leaking data.

You can take technical measures against. You can increase the scrutiny in your hiring practices (some of the stories on this forum are mental, the standard of clinicians in this industry is awful). You can do your utmost to have a health workplace for staff to reduce the risk of brewing animosities and professional clashes, etc.

Good companies don't leak. When they do it's e-mail addresses and hashed passwords - not order history for a stigmatised mental health therapy.

And even if all clinics are indeed as exposed to this potentiality as you suggest, and CB1 Medical just got unlucky to be the first, that doesn't mean there shouldn't be an industry-wide response that makes this less likely to happen again at any clinic. And other clinics are going to be much more likely to make an effective response if they see CB1 slide into the abyss for this gravest of data errors.

I would be much, much more sympathetic to a hack than just careless leaking. They don't even need an adversary to do us harm, they do it to us directly by themselves? Even in a world with no bad actors, this would still have happened? That's unacceptable.
Click to expand...
Most data breaches are from malicious staff members across all industries, and not hacked systems. I come across this often working in IT.
 
Dooby Doo said:
They dont know the full facts yet 💯. Until then I think we must just keep calm. I've checked my security and dark Web for any leaks of my information just in case but I do this pretty regularly anyway. I'm going to have a nice bowl and chill 😎
Click to expand...
we are only compromised by our names and last 6 months scripts and email address. I am changing my email address at CB1 Medical, and then dumping the old one as now compromised, bit of a pain but hey ho...
 
Moon said:
This is wrong. They now know they were not hacked, they know the pdf ended up in malicious hands after a system upgrade and data export. This is why the police are now involved, a bad actor took the pdf and leaked it. This is what they have communicated to me. So their system was robust enough, which may not be the case for all clinics. I work in IT and most data breaches are via a staff member / bad actor. This could happen to any clinic. I would be careful with what you are typing regarding this as this thread will be monitored by the police and CB1 Medical and hearsay could get you in trouble.
Click to expand...
100%
 
Moon said:
This is wrong. They now know they were not hacked, they know the pdf ended up in malicious hands after a system upgrade and data export. This is why the police are now involved, a bad actor took the pdf and leaked it. This is what they have communicated to me. So their system was robust enough, which may not be the case for all clinics. I work in IT and most data breaches are via a staff member / bad actor. This could happen to any clinic. I would be careful with what you are typing regarding this as this thread will be monitored by the police and CB1 Medical and hearsay could get you in trouble.
Click to expand...

What sort of I.T? I'm in a similar field to you and deal with this frequently for our casino partners and customers.

I also give training to new staff, i agree that a bad actor is likely the case here, I would argue a phishing attempt is generally more likely with someone emailing files to what they think are legitimate colleagues but that's irrelevant given the context of your reply.

Their systems being robust is not an issue. They have no clear net detection protections and that's very alarming. As someone who works in I.T. I'm assuming you agree with the need and best practice in implementing something like MSDefender, GWS Alert Center and CISCO all offer varying degrees of products like this.

I have nothing to censor. I have not said anything incorrectly. The whole discussion as often referred to various rogue employees and other situations that can be inferred from such a breach.

Moon said:
Most data breaches are from malicious staff members across all industries, and not hacked systems. I come across this often working in IT.
Click to expand...
That's incorrect from the training modules I present. But it is up there. Phishing emails are the overwhelming source of breaches.

Moon said:
we are only compromised by our names and last 6 months scripts and email address. I am changing my email address at cb1, and then dumping the old one as now compromised, bit of a pain but hey ho...
Click to expand...
Only compromised on your full names, current private medical treatment and contact details?

Seems a bit disingenuous to be saying only. I appreciate it wasn't financial details but this is a very secretive and sensitive thing for a lot of people.
 
joint_account said:
What sort of I.T? I'm in a similar field to you and deal with this frequently for our casino partners and customers.

I also give training to new staff, i agree that a bad actor is likely the case here, I would argue a phishing attempt is generally more likely with someone emailing files to what they think are legitimate colleagues but that's irrelevant given the context of your reply.

Their systems being robust is not an issue. They have no clear net detection protections and that's very alarming. As someone who works in I.T. I'm assuming you agree with the need and best practice in implementing something like MSDefender, GWS Alert Center and CISCO all offer varying degrees of products like this.

I have nothing to censor. I have not said anything incorrectly. The whole discussion as often referred to various rogue employees and other situations that can be inferred from such a breach.


That's incorrect from the training modules I present. But it is up there. Phishing emails are the overwhelming source of breaches.


Only compromised on your full names, current private medical treatment and contact details?

Seems a bit disingenuous to be saying only. I appreciate it wasn't financial details but this is a very secretive and sensitive thing for a lot of people.
Click to expand...
I administer business networks and systems, network admin. have also worked with ecrime wales, and government systems.

I do agree most from philshing, but also many via a bad actor or ex staff member who took data, but from what i have been told this was not the case just a bad actor took the pdf from the system.

Only compromised on your full names, current private medical treatment and contact details? - yes i say only in the sense thank god no card details or passport photos.
 
i am in free fall after this had 2 panic attacks already today ,, is there any one out there seeking legal advice , i mentioned on more then one occassion to CB1 Medical that i was concerned about problems with security , after i started to have payments taken from my account after paying over the phone with the pharmacy for my medication , 20 mins later i had a string of attempts for anything from pizza being ordered and high price goods as well
 

  Similar Discussions (Automatically Generated)

GrownHealth
Clinics Overseas processing of patient requests/data by clinics.
Replies
9
Views
267
Muiredach
Muiredach
D
Clinics Which clinic to choose CB1 or Alternaleaf ?
Replies
8
Views
908
R3d4
R
Mills
YouTube UK Cannabis Clinic HUGE data breach!
Replies
0
Views
85
Mills
Mills
S
Clinics Has anyone switched from Mamedica to CB1?
Replies
9
Views
320
ElaineWChat
ElaineWChat
B
Clinics Medicann Uk, New Patient Experience.
2 3
Replies
43
Views
737
joint_account
joint_account
Back
Top