Unsecured databases at Ohio Marijuana Card left sensitive patient data, including medical records and ID photos, accessible to the public.
What happened
Ohio Medical Alliance LLC, operating as Ohio Marijuana Card, exposed 957,434 sensitive patient records after leaving two internal databases unsecured and publicly accessible online. The breach, discovered by cybersecurity researcher Jeremiah Fowler, totaled 323 GB of unencrypted data that could be accessed without login credentials.
The exposed information included full names, Social Security numbers, birth dates, home addresses, driver’s license images, medical intake forms, physician certifications, internal notes, and over 210,000 email addresses. Files were stored in folders labeled with patient names, making the data easily searchable.
Going deeper
The data breach impacted patients who used Ohio Marijuana Card’s telemedicine and in-person services across six states. The organization has served more than 330,000 patients nationwide for qualifying medical conditions such as PTSD and anxiety.
Fowler reported the exposure, and the company restricted database access within one day of being alerted. However, it did not respond publicly to the researcher or clarify how long the data remained exposed. It also remains unclear whether the databases were operated in-house or by a third-party vendor.
Because the data included high-resolution ID images, Social Security numbers, and medical evaluations, experts say the risk of identity theft and fraud is significant.
What was said
The Ohio Medical Alliance has not issued a public statement or confirmed whether any unauthorized parties accessed the exposed data before the breach was closed. No timeline has been provided for how long the databases were publicly available.
Cybersecurity professionals warn that even brief exposures of this nature are enough to allow malicious actors to copy and misuse data.
FAQs
Are medical marijuana records protected under HIPAA?
Yes. Medical marijuana patient records, like any health data used in diagnosis and treatment, are generally considered protected health information (PHI) under HIPAA when handled by covered entities or their business associates.
Can exposed medical cannabis data impact future employment or insurance?
Potentially. If health conditions or cannabis usage history are disclosed without consent, individuals may face discrimination in employment or difficulty obtaining certain types of insurance coverage.
What steps can affected patients take after a breach like this?
Patients should monitor their credit reports, freeze their credit if necessary, and consider identity theft protection services. They should also contact their medical provider to understand what specific data may have been exposed.
How can organizations prevent accidental database exposures?
They should implement regular security audits, enforce encryption and password protections, restrict public access by default, and monitor for misconfigured servers or cloud storage.
What role do third-party vendors play in breaches like this?
Third-party contractors often manage hosting, storage, or IT infrastructure. If these vendors lack adequate security practices, they can introduce vulnerabilities, even if the healthcare provider itself complies with regulations.
Farah Amod
