Full Report
Sarah Sinclair reports: A UK medical cannabis clinic is carrying out investigations after a substantial amount of patients’ information was leaked in a major data breach. In an email sent to patients on Monday 18 August, CB1 Medical confirmed it had identified a ‘data security incident’ when patients’ personal details, including prescription information, were found... Source
Analysis Summary
# Incident Report: CB1 Medical Patient Data Leak
## Executive Summary
CB1 Medical, a UK cannabis clinic, is investigating a major data security incident after a substantial amount of patient data was discovered on a third-party file hosting website. The leak primarily involved personal and prescription details covering a six-month period. The clinic took immediate steps to remove the data and initiated an investigation, noting that the incident is not believed to be the result of a cyberattack.
## Incident Details
- Discovery Date: August 18, 2025 (Date email sent to patients)
- Incident Date: Prior to August 18, 2025
- Affected Organization: CB1 Medical
- Sector: Healthcare (Medical Cannabis Clinic)
- Geography: UK
## Timeline of Events
### Initial Access
- Date/Time: Prior to August 18, 2025
- Vector: Unspecified internal exposure or unauthorized placement of data onto a file hosting website.
- Details: Patient personal and prescription details were found accessible on a file hosting service.
### Lateral Movement
- N/A (The structure suggests an accidental exposure or leak rather than a full network infiltration.)
### Data Exfiltration/Impact
- Patient contact details, dates of birth, and prescription information covering a six-month period, along with the prescribing doctor's details, were exposed.
### Detection & Response
- **Detection:** The breach was identified when the patient information was found on a file hosting website.
- **Response:** CB1 Medical sent an email to affected patients on Monday, August 18, 2025, confirming the incident, taking immediate steps to secure the removal of data from the hosting website, and commencing an internal investigation.
## Attack Methodology
- Initial Access: Unconfirmed; the incident is **not thought to be the result of a cyber attack**. Likely misconfiguration or unauthorized file sharing/upload.
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: N/A
- Lateral Movement: N/A
- Collection: N/A
- Exfiltration: Unauthorized placement/exposure on a file hosting website.
- Impact: Unauthorized disclosure of Personal Identifiable Information (PII) and prescription data.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Contact details, dates of birth, prescription information (6-month period), and prescribing doctor details were exposed. **Crucially, addresses, financial information, ID documents, passwords, and medical histories were *not* included.**
- Operational: Minor disruption due to the need to conduct investigations and notify patients.
- Reputational: Potential damage due to the public nature of a data leak concerning sensitive prescription information.
## Indicators of Compromise
- Network indicators: Exposure on an unknown file hosting website (Specific URLs defanged: [hxxp://filehostingsite.com/leaked_data])
- File indicators: File containing patient PII and prescription metadata.
- Behavioral indicators: Unauthorized documentation hosting/sharing outside secure organizational boundaries.
## Response Actions
- Containment measures: Immediate steps taken to secure the removal of the exposed information from the file hosting website.
- Eradication steps: Investigation commenced to determine the source and scope of the exposure.
- Recovery actions: Not fully detailed, but focus was on data removal and patient notification.
## Lessons Learned
- The primary lesson learned is the critical risk associated with third-party file hosting services and ensuring stringent controls over where sensitive patient data can be stored or uploaded.
- While not deemed a cyberattack, the process failure leading to data exposure remains a significant vulnerability.
## Recommendations
- Conduct a thorough audit of all cloud storage and file-sharing platforms used by the organization and its staff to ensure compliance with data protection regulations.
- Implement rigorous access controls and data loss prevention (DLP) monitoring specifically targeting the uploading of PII/PHI data to external services.
- Review and enhance employee training regarding the proper handling and storage of digital patient records, emphasizing prohibited use of consumer-grade file hosting services.