Initially revealed on Hashish Well being 

A UK medical hashish clinic is finishing up investigations after a considerable quantity of sufferers’ info was leaked in a serious knowledge breach.

In an e-mail despatched to sufferers on Monday 18 August, CB1 Medical confirmed it had recognized a ‘knowledge safety incident’ when sufferers’ private particulars, together with prescription info, have been discovered on a file internet hosting web site.

The leak included contact particulars, dates of delivery and in some instances, prescription info overlaying a six-month interval, in addition to the main points of the prescribing physician.

CB1 Medical says it took ‘fast steps’ to safe the removing of the knowledge from the internet hosting web site and has commenced an investigation.

The breach is just not regarded as the results of a cyber assault and there may be ‘no proof of wider sharing or misuse’.  The data didn’t embrace addresses, monetary info, ID paperwork, passwords or medical histories.

In response to Medbud UK, an impartial knowledge hub for the medical hashish sector, sufferers have been first made conscious of a problem by way of a Reddit submit by a person who mentioned they’d been alerted to his particulars being compromised by Google.

⚠️ There’s been a monumental privateness breach containing personal affected person knowledge from a clinic.

A submit was made on Reddit at 8:05pm together with sufferers private particulars, appointment occasions, and drugs/prescription particulars.

The leak is a 2,600 web page PDF doc.

As this occurred…

— 🇬🇧 MedBud.wiki (@MedBudUK) August 16, 2025

Reporting the incident on X, the organisation mentioned the leak included a 2,600-page doc and had been knowledgeable that it may embrace knowledge from over 4,000 sufferers. CB1 Medical mentioned it might not touch upon the numbers concerned whereas investigations have been ongoing.

Stats on whole quantity of compromised/leaked affected person accounts, by way of one other affected person:

Distinctive emails: 4,384
Distinctive telephone numbers: 4,299 https://t.co/9BEiafENho

— 🇬🇧 MedBud.wiki (@MedBudUK) August 17, 2025

Dozens of sufferers have taken to social media to precise their concern after receiving the e-mail, together with some who say they aren’t presently beneath the care of CB1 Medical.

The impartial affected person advocacy service, CannCare, which is presently supporting sufferers affected by the information breach, has urged vigilance over the approaching weeks and has shared recommendation to assist folks shield themselves from potential scams.

“We perceive that incidents like this may set off actual nervousness, particularly when well being and privateness are concerned,” the organisation mentioned in an announcement.

“Even with out medical data or monetary info, particulars resembling names, contact info order historical past and clinician names can be utilized to craft convincing scams. Over the following few weeks, keep alert messages which will reference prescriptions, latest orders or a clinician by title. Deal with any sudden emails, texts or calls with warning, particularly these which are asking you for private info or urging fast motion.”

The organisation has additionally appealed to the broader neighborhood to “keep away from hypothesis”, including that some solutions “should come from the organisation accountable”.

“CannCare is doing all the things in its energy to help sufferers by offering clear steerage, serving to with affirmation appropriate requests the place applicable, and signposting to sensible steps to assist shield your self,” it said.

“We ask the neighborhood to assist by avoiding hypothesis. In conditions like this, it’s vital that information, not accusations or rumours are shared. Hypothesis can hurt sufferers, obscure the reality and sluggish actual options.”

CB1 ‘deeply sorry’ for concern induced

Anabel Sharma, Chief Working Officer for CB1 Medical instructed Hashish Well being, the clinic is “deeply sorry” for the priority brought on by the incident and that defending affected person privateness “stays paramount”.

“Now we have recognized a knowledge safety incident, which, regrettably, concerned a few of the private particulars of sufferers – all of whom have been written to instantly by our workforce. Now we have written to affected sufferers to verify that their knowledge was affected and supply particulars of how one can contact us if they’ve any additional questions.”

The data is known to narrate to an previous knowledge export and never its dwell techniques. Sharma added that whereas it outsources a few of its affected person administrations providers to 3rd events, she reiterated that every one its operations are performed “in accordance with UK regulation”.

“We’re deeply sorry for the priority this will have induced and can proceed to deal instantly with sufferers to handle any further considerations,” she continued.

“Defending affected person privateness stays paramount, and as a clinician-led specialist workforce, we’re dedicated to delivering the best requirements of affected person care and therapy. Some parts of our affected person service administration are carried out by third events, however all our operations are performed in accordance with UK regulation. The breach has been reported to the ICO, and investigations are ongoing. As such, it might not be applicable to remark additional right now.”

Script Help, a expertise supplier utilized by CB1 Medical confirmed it was “not concerned” within the incident.

A consultant mentioned: “As at all times, info from our platform is just ever securely delivered to authorised customers beneath strict entry controls and guarded to the best worldwide requirements.”