Audit: Medical Marijuana Confidentiality Compromised

July 19, 2013
A recent audit found that the confidentiality of the medical marijuana registry has been breached numerous times

An audit found that the confidentiality of the medical marijuana registry has been breached

DENVER – When Colorado voters approved medical cannabis in 2000, Amendment 20 established a registry of patients, physicians and caregivers – a confidential database protected by the constitution.

But an audit of the Department of Public Health and Environment found that the confidentiality of the medical marijuana registry has been breached numerous times. Security issues cited in the report include:

Workers, who were hired through a temporary employment agency, processed hundreds of “red card” applications and entered the information into the registry database;

Confidential patient information or “red cards” were mailed to the wrong recipients at least 15 times;
Department of Revenue enforcement officers, who were investigating medical marijuana dispensaries, requested information about hundreds of “red card” recipients;

The Colorado Crime Information Center (CCIC) allows law enforcement officers to access the registry to verify the “red card” status of an individual as well as find out how much marijuana – the number of ounces or plants – the patient can have;

Employees from the Division of Central Services under the Department of Personnel and Administration, accessed the registry to enter data and scan records;

The names of 5,400 medical marijuana caregivers were sent accidentally to the State Auditor’s office in December 2012.

“The constitution restricts registry access to authorized employees of public health, and law enforcement officers who have stopped or arrested someone who is claiming to be using or possessing medical marijuana,” said Jenny Atchley, a legislative auditor.

According to the auditors, attorneys in the Office of Legislative Services said it is reasonable for the state public health department to allow access to the registry by outside employees if the contract includes an understanding of confidentiality, and the department has control over the work performed.

The public health department said that staff members of contractors and other state agencies are required to sign confidentiality agreements to protect the registry data. However, the auditors checked a sample of 10 outside workers and found just three signed agreements.

The public health department has a policy to notify individuals when their privacy has been breached, but auditors said that does not always occur.

“Confidentiality of the data is very important to the department,” said Karin McGowan, interim director of the Department of Public Health and Environment.

“Last year we processed 280 applications – whether it was a (record) change or the actual application – and there are 108,000 (active) patients in the registry, and we’ve had 15 breaches,” said McGowan. “So while that’s not perfect, to err is human. We do try our best.”

The 5,400 names of medical marijuana caregivers sent to the State Auditor’s office, she said, “was obviously an error.” McGowan said it would have been more risky to send notifications to those individuals, whose addresses may not be current, than to assume the State Auditor’s office would keep that information confidential.

McGowan also questioned whether applications for medical marijuana “red cards” should be classified as confidential information.

Members of the Legislative Audit Committee plan to address that issue and discuss legislative bills to close legal loopholes in the statutes regulating medical marijuana. They plan to consult Attorney General John Suthers before drafting the bills that would be introduced in legislative session next year.

“Statutorily we need to make some clarifications on the intent of the law,” said Rep. Angela Williams (D-Denver) who chairs the Legislative Audit Committee.

“It’s a very complicated business that we are implementing here in the state of Colorado,” Williams told the committee on Tuesday. “(We want) to make sure that we run a quality system as we implement the (retail) marijuana piece of this.”

“Confidentiality is a constitutional principle,” said Sen. Lois Tochtrop (D-Thornton). “I want to see protection of people on medical marijuana… and the confidentiality of applicants should also be protected.”

Rep. Daniel Nordberg (R-Colorado Springs) said there is no question that the constitutional rights of individuals in the registry should not be violated.

“There’s a disturbing trend of government being put in a position of trust – and abusing it,” said Nordberg.

Comments made by visitors are not representative of The Colorado Observer staff.

2 Responses to Audit: Medical Marijuana Confidentiality Compromised

  1. July 23, 2013 at 8:45 am

    This isn’t rocket science here. The records were compromised yes , but come on , all this private information being over Blown… Its Marijuana People. You act like it’s herion or something. That’s what you get for Making this Law , a PARTY ! Same with Washington. You make a mockery of the Serous ness of the Marijuana movement. Now ! we taught you differen’t. Wre set the rules in California so that others can follow. But you give them an inch , and they will take a mile…Peace.

  2. Benny Brand
    July 23, 2013 at 11:28 am

    thoughts on Colorados Security Breach and constitutional violations by the department represented by Karin McGowan.
    It is unclear whether McGowan is saying 15 out of 208 applications or 15 out of 108,000 active patients. My guess would be the 15 out of 208, and she is practicing deliberate obfuscation to minimize the error. And attempting to mention in passing, completely glossing over the fact that there were actually 5400 other incidents; this is not one incident comprised of 5400 component parts. Each of those 5400 records represents an individual, who should be given the right to be heard, receive an apology and offered redress in a form acceptable to the majority. This would provide the accountability that would minimize the chances of this “human error on the excuse of taking the least risky action” from ever happening again.
    There is no such thing as a “minor breach” of constitutional law, yet a breach by the government itself is particularly egregious.


Your email address will not be published. Required fields are marked *

The Complete Colorado
Colorado Peak Politics - Sometimes Unruly. Always Conservative.

Visitor Poll

Should illegal immigrant kids flooding the border be housed in Colorado?

View Results

Loading ... Loading ...

The Colorado Observer