Medical and personal patient data from Innomar Strategies – a major Canadian pharmaceutical company – was stolen following an intrusion into the parent company’s computer system. Potential victims interviewed by La Presse did not know that this company had access to this sensitive information.
“I have already had my information stolen with the leak from Desjardins and now I learn that it is the information in my medical file that would have been stolen from a company that I do not even know,” says a patient who does not does not want to be named, for fear of breaking the bond of trust with his doctor.
Since being diagnosed with cancer a few years ago, the man has undergone a battery of treatments and participated in several studies.
The company in question is Innomar Strategies. This Canadian subsidiary of Cencora – a US drug distribution giant that was called AmerisourceBergen until last year – manages dozens of patient support programs (PSPs).
PSPs are programs that operate outside the public health network and monitor the use of expensive specialty medications that treat complex illnesses. In order for a patient to participate, the doctor usually has them sign a consent form.
Earlier this week, Innomar sent a letter to patients saying it had noticed that “data was extracted” from the parent company’s computer systems on February 21, 2024. It said it had taken control measures and investigated “with the help of law enforcement, cybersecurity experts and external lawyers.”
The result: In April, the company concluded that intelligence had “been impacted by the incident.” Nearly two months passed before Innomar communicated with its patients.
The missive states: “Based on our investigation, personal information, including your personal health information, was affected, including possibly […] the location of the services you received, your diagnosis/ medical condition, your medications/prescriptions, your medical record number, your patient numbers, your health insurance number, your signature, your laboratory results and your medical history. »
“There’s nothing reassuring about this,” says one patient, who declined to be named so as not to embarrass the doctor who had her sign the form to enroll her in a treatment program. She is receiving doses to combat a skin condition. “I really wonder what medical information they have and what someone could do with my information.”
She adds: “It’s a strange feeling because it bothers me more than if it was financial information. From what I understand, they have access to my blood tests, my diagnoses… This is information that only me and my doctor should have access to. I didn’t even know the company had access to this information. »
Cencora’s director of public relations, Mike Iorfino, sent an email to La Presse in which he essentially summarizes what is detailed in the letter sent to patients. As a result, it was impossible to know the number of Canadian patients whose data was potentially exposed.
It adds that there is “no evidence that the information was publicly disclosed or misused for fraudulent purposes” and assures that Cencora and Innomar provide patients with access to resources “to help them protect their information.”
A major Canadian player in the pharmaceutical industry, Innomar manages dozens of patient care programs funded by drug manufacturers such as Abbvie, Bristol-Myers, Pfizer, Sandoz, Sanofi and Takeda. The company also owns hundreds of infusion clinics and pharmacies across the country.
Cybersecurity specialist and lecturer at the University of Sherbrooke Steve Waterhouse is not surprised by the event.
“Someone adds information of another nature that they can cross-reference with that coming from the leaks from Desjardins, Capital One, Bell, Facebook, Videotron, etc.,” he explains.
In recent years, several thefts or data leaks have targeted medical data, he emphasizes. He cites the recent example of the theft of personal data of patients from five Ontario hospitals following an attack targeting Transform, the organization that manages the IT services of these institutions.