Sensitive medical marijuana patient data exposed to major vulnerabilities
Wired reports that an Ohio company that is dealing with medical marijuana recommendations has left nearly a million records in a publicly available database containing highly sensitive personal information.
Ohio Medical Alliance LLC’s unsecured data (which is the business of Ohio Cannabis Card) includes medical history and social insurance numbers for medical cannabis patients, according to the magazine.
The discovery was first discovered in July by security researcher Jeremiah Fowler.
According to WIRED, the Ohio Cannabis Card appears to have deleted the data after Fowler contacted the company.
Company President Cassandra Brooks arrived briefly on Wednesday by phone mjbizdaily Wait for the results of the internal investigation.
“Until the investigation was conducted, there were no statements yet,” she said.
This situation is by far one of the most important data breaches related to marijuana.
It’s also a rare example of long-term fear expressed by medical marijuana patients: their message appears on the “list” when they try to register patients to comply with state medical marijuana laws.
According to WIRED, medical marijuana patient data is unencrypted and accessible without a password:
- Date of birth.
- Email and physical address.
- Medical history and mental health assessment.
The incident appears to have not yet attracted the attention of the authorities.
Other examples of data breaches have also affected adult marijuana use companies.
In January, California-based major brand Stiizy announced that some customer information was leaked when third-party vendors experienced data breaches.
Following the general trend, Ohio’s MMJ patient enrollment is dropping significantly since the launch of adult sales a year ago.
