Healthcare Information Security


Lax security of marijuana database prompts emergency petition

By Jennifer Bresnick

- Medical marijuana patients in Colorado are protesting the state’s handling of their records, stored in a state patient registry, according to the Denver Post.  While marijuana is now legal in the state for all adults, private patient information has been compromised in numerous ways, prompting an emergency petition to the Board of Health to destroy and rebuild the registry in a confidential, secure way.  The petition was unanimously rejected by the state board, leaving patients frustrated and unhappy with the snub to their HIPAA rights.

Colorado’s list of medical marijuana patients is supposed to be accessible to law enforcement only under limited circumstances, but two recent cases have led state auditors and patients to question the Board of Health’s commitment to their privacy.  In 2012, the department released 107 names to an officer investigating a marijuana dispensary, and in another case, 5,400 people designated to distribute marijuana to patients were not notified that their information had been shared with auditors.  Additionally, temporary employees who were handling patient information were not required to sign confidentially agreements.

“The registry is compromised beyond repair. We don’t believe there’s any reason to trust this,” said Laura Kriho, who leads a patient advocacy group and filed the emergency petition asking the health department to destroy the database and start it again.  “I’m disgusted. No other patients’ medical information is treated this way,” protester Kathleen Chippi added.

The audit of the marijuana registry’s practices found three major areas of concern: a “lack of controls over contractors and staff of other state departments whom Public Health has authorized to access confidential Registry data, access by law enforcement officials/agencies of confidential Registry data under circumstances that the Colorado Constitution does not appear to allow, and confidential data breaches.”

The patient registry administrators are insisting that they are making security upgrades suggested by the state auditors, and that the protesters’ concerns are overblown.  “We feel we have prudent practices in place,” said Ron Hyman, Colorado’s registrar of vital statistics. “We take every breach seriously.  [Members of law enforcement] are not permitted to go on fishing expeditions.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...