Highly Sensitive Medical Cannabis Patient Data Exposed by Unsecured Database

As legal cannabis has expanded around the United States for both recreational and medical use, companies have amassed troves of data about customers and their transactions. People who have applied for medical marijuana cards have had to share particularly personal health data to qualify. For some patients in Ohio who use medical weed, a recent data exposure could impact their sensitive information.

Security researcher Jeremiah Fowler found a publicly accessible database in mid-July that appeared to contain medical records, mental health evaluations, physician reports, and images of IDs like driver’s licenses for people seeking medical cannabis cards. The 323-GB trove stored close to a million records, including Social Security numbers, email addresses, physical addresses, dates of birth, and medical data—all organized by name.

Based on information that seemed to describe specific employees and business partners, Fowler suspected that the data belonged to the Ohio-based company Ohio Medical Alliance LLC, which goes by the name Ohio Marijuana Card. Fowler contacted the company on July 14; when he checked the database the next day, it had been secured and was no longer publicly accessible online. Fowler did not receive a response about his submission.

Ohio Medical Alliance did not answer WIRED’s questions about Fowler’s findings. At one point, though, the company’s president, Cassandra Brooks, wrote in an email: “I need time to investigate this alleged incident. We take data security very seriously and are looking into this matter.”

“There were physicians’ reports that would say what the underlying problem was—whether it was anxiety, cancer, HIV, or something else. In some cases, the applicants would submit their own medical records as proof” of their qualifying condition, Fowler tells WIRED. “I saw identification documents from lots of states, from everywhere. And I even saw offender release cards, which are basically IDs for people who just got out of prison that they submitted as proof of identity to get a medical marijuana card.”

Fowler says that most of the files in the database were image formats like PDFs, JPGs, and PNGs. One CSV plaintext document called “staff comments” appeared to be an export of internal communications, appointment histories, notes about clients, and application status. That file also contained more then 200,000 email addresses of Ohio Medical Alliance employees, business associates, and customers.

Databases that are misconfigured and have inadvertently been left publicly exposed on the open internet are a common problem online in spite of efforts to raise awareness about the mistake and its privacy implications.