Medical Cannabis Patient Data Leaked in Security Breach
▼ Summary
– A large database containing sensitive medical and personal information for Ohio medical marijuana applicants was found publicly accessible online in mid-July.
– The exposed data included medical records, mental health evaluations, physician reports, ID images, Social Security numbers, and contact information for nearly a million records.
– Security researcher Jeremiah Fowler identified the database and linked it to Ohio Medical Alliance LLC (Ohio Marijuana Card) based on internal employee and partner information.
– The company secured the database after being notified but did not respond to inquiries about the incident or confirm ownership of the data.
– The exposure highlights the ongoing problem of misconfigured databases being left publicly accessible despite awareness of the serious privacy risks involved.
The expansion of legal cannabis markets across America has created vast repositories of sensitive consumer information, particularly for medical patients who must disclose detailed health histories to qualify for treatment. A recent security lapse in Ohio has exposed deeply personal records, underscoring the privacy risks associated with medical marijuana programs.
In mid-July, security analyst Jeremiah Fowler identified an unsecured database containing nearly a million records related to medical cannabis applications. The exposed information included Social Security numbers, driver’s license images, home addresses, and detailed medical evaluations. Mental health assessments, physician diagnoses, and even offender release documents were among the files left openly accessible online.
Fowler linked the data to Ohio Medical Alliance LLC, operating as Ohio Marijuana Card, based on internal employee and partner details visible in the records. After he notified the company on July 14, public access to the database was removed within 24 hours. Despite repeated inquiries, the firm did not respond to Fowler or media requests for clarification.
Company president Cassandra Brooks eventually acknowledged the situation in a brief statement, noting, “We take data security very seriously and are looking into this matter.” She did not confirm whether patient data was compromised or provide details on the cause or scope of the exposure.
The leaked files included PDFs, images, and a CSV document labeled “staff comments,” which contained over 200,000 email addresses belonging to customers, employees, and business affiliates. Physician notes within the records explicitly listed qualifying medical conditions, including anxiety, cancer, and HIV, along with personally submitted medical proof from applicants across multiple states.
Misconfigured databases remain a persistent threat to digital privacy, despite increased awareness and security protocols. This incident highlights how sensitive health and identity documents can inadvertently become visible to anyone with an internet connection, posing serious risks related to discrimination, identity theft, and personal safety.
The exposure of such detailed personal and medical information serves as a critical reminder of the vulnerabilities that persist even within regulated industries. Patients who provided documentation expecting confidentiality may now face unforeseen consequences due to this lapse in data protection.
(Source: Wired)
