In a significant data breach impacting medical marijuana patients in Ohio, security researcher Jeremiah Fowler discovered a publicly accessible database that allegedly contained highly sensitive personal information. This incident has raised concerns over data security within the burgeoning legal cannabis sector, where businesses have accumulated extensive customer data for both medical and recreational use.
The exposed database, identified in mid-July, included nearly a million records, amounting to 323 GB of data. Among the information retrieved were medical records, mental health evaluations, physicians’ reports, and personal identification images, such as driver’s licenses, from individuals seeking medical cannabis cards. Crucially, this data comprised Social Security numbers, email addresses, physical addresses, dates of birth, and other medical details, all organized by name.
Fowler speculated that the compromised data originated from Ohio Medical Alliance LLC, operating as Ohio Marijuana Card, based on identifiable information mentioning specific employees and business associates. After contacting the company on July 14, he noted that the database was secured on July 15, rendering it inaccessible online, though he did not receive a response regarding his inquiry.
Despite the urgency of the situation, Ohio Medical Alliance remained silent on the specifics of the findings when approached by media outlets. Cassandra Brooks, the company’s president, acknowledged the situation in a prior correspondence, asserting that the organization takes data security seriously and is currently investigating the alleged breach.
Fowler detailed the breadth of the sensitive information contained within the database, stating that various physicians’ reports identified underlying medical conditions, from anxiety to more significant health issues such as cancer and HIV. He noted that applicants sometimes submitted their own medical records as part of the verification process. Additionally, he observed identification documents from multiple states, which included offender release cards for individuals recently released from incarceration, used as proof of identity for medical cannabis applications.
Most files within the exposed database were in image formats—PDFs, JPGs, and PNGs. One particularly notable document was a CSV file labeled “staff comments,” which appeared to export internal communications, appointment schedules, client notes, and application statuses. Alarmingly, this file also contained over 200,000 email addresses belonging to employees, business partners, and customers of Ohio Medical Alliance.
This incident underscores the ongoing issue of misconfigured databases being left publicly accessible, a common vulnerability that continues to threaten personal privacy. As organizations in the legal cannabis industry expand, the risks associated with data security must be addressed comprehensively. The Michigan-based company’s failure to secure sensitive data raises alarms not only about its practices but also about the broader implications for similar entities operating in a rapidly evolving regulatory landscape.
In terms of the MITRE ATT&CK framework, potential tactics associated with this breach could include initial access, where the attacker gained entry to the database, and data exposure, which pertains to the accidental public accessibility of sensitive information. The incident highlights the necessity for businesses, particularly those managing personal health data, to implement robust security measures, including regular audits and employee training, to mitigate the risk of future data breaches.
