Highly sensitive medical marijuana patient data exposed by unsecured databases
As legal marijuana The company has expanded its entertainment and medical uses across the United States, and the company has accumulated data on its customers and their transactions. Those applying for medical marijuana cards have to share special personal health data to qualify. For some patients using medical weeds in Ohio, recent data exposure may affect their sensitive information.
Security researcher Jeremiah Fowler discovered a publicly accessible database in mid-July that appears to contain medical records, mental health assessments, physician reports, and images of IDS, such as driver’s licenses, for people seeking medical marijuana cards. The 323GB Trove stores nearly one million records, including social security numbers, email addresses, physical addresses, dates of birth and medical data, all organized by name.
Based on information that appears to describe specific employees and business partners, Fowler suspects that the data belongs to Ohio Medical Alliance LLC, which is named Ohio Cannabis Card. Fowler contacted the company on July 14; when he checked the database the next day, it was secured and no longer publicly accessed online. Fowler received no response to his submission.
The Ohio Medical Alliance did not answer the question Wired About Fowler’s Discovery. However, at one time, the company’s president, Cassandra Brooks, wrote in an email: “I need time to investigate this incident. We take data security very seriously and are studying it.”
“There are doctors reports that tell what the basic issues are – anxiety, cancer, HIV or something else,” Fowler told Wired. “I’ve seen identification documents from many states, many states. I even saw the release card for the criminal, which is basically the ID, for someone who has just been released from prison, they submitted their identification for medical marijuana cards. ”
Fowler said most files in the database are in image formats such as PDF, JPGS, and PNG. A CSV authorization document called “Employee Reviews” appears to be an export of internal communications, dating history, notes about clients and application status. The document also contains email addresses for more than 200,000 Ohio Health Alliance employees, business partners and customers.
Despite efforts to raise awareness of mistakes and their privacy implications, databases that have been misconfigured and unintentionally exposed on the Open Internet are a common problem.
