What happened in the CB1 Medical data breach?

CB1 Medical, a UK medical cannabis clinic, reported a significant data breach that exposed patient information of over 4,000 individuals. The breach appears to be caused by an inadvertent exposure of an old data export rather than a malicious cyber attack.

What type of patient data was exposed in the CB1 Medical breach?

The exposed data includes contact details (email addresses and phone numbers), dates of birth, prescription information covering a six-month period, details of prescribing doctors, and appointment times and scheduling information.

Was the CB1 Medical breach caused by a cyber attack?

No, the breach is not thought to be the result of a cyber attack and there is no evidence of wider sharing or misuse. It appears to be caused by an inadvertent exposure of an old data export.

How was the CB1 Medical patient data exposed?

The leaked information was contained in a 2,600-page PDF document that was inadvertently exposed on a hosting website.

What actions has CB1 Medical taken in response to the data breach?

CB1 Medical took immediate steps to secure the removal of the information from the hosting website, has commenced an investigation, notified affected patients via email, and has reported the incident to the Information Commissioner's Office (ICO).

Incident

UK medical cannabis clinic CB1 Medical reports data breach exposing over 4,000 patient records

Q: How was the CB1 Medical data breach discovered?

A user reported the issue via a Reddit post after being alerted by Google, probably through Google Alerts that shares new indexed pages that mention a search string, and the string was that person's name or email.

Q: Has CB1 Medical reported the breach to authorities?

Yes, CB1 Medical has reported the incident to the Information Commissioner's Office (ICO), the UK's data protection regulator.

published: Aug. 21, 2025

Learn More

CB1 Medical, a UK medical cannabis clinic, is reporting a significant data breach that exposed patient of over 4,000 individuals.

The breach appears to be caused by an inadvertent exposure of an old data export rather than a malicious cyber attack. The breach is not thought to be the result of a cyber attack and there is 'no evidence of wider sharing or misuse'. A user reported the issue via a Reddit post after "being alerted by Google", probably through Google Alerts that shares new indexed pages that mention a search string and the string was that person's name or email.

The leaked information was contained in a 2,600-page PDF documen. Independent data analysis by affected patients revealed the breach impacted 4,384 unique emails and 4,299 unique phone numbers.

The exposed data includes

Contact details (email addresses and phone numbers)
Dates of birth
Prescription information covering a six-month period
Details of prescribing doctors
Appointment times and scheduling information

The clinic notified affected patients via email on Monday, August 18, 2025, and has reported the incident to the Information Commissioner's Office (ICO).

The clinic says it took 'immediate steps' to secure the removal of the information from the hosting website and has commenced an investigation. Anabel Sharma, Chief Operating Officer for CB1 Medical, stated the clinic is "deeply sorry" for the concern caused by the incident.

UK medical cannabis clinic CB1 Medical reports data breach exposing over 4,000 patient records

Read More
AbbVie reports data breach exposing customer data
Tarrytown Expocare reports potential data breach
Intercept Pharmaceuticals reports data breach
U.S. Drug Mart Files pharmacy reports data breach …
Lockbit gang claims breach of Crinetics Pharmaceuticals