A staggering data exposure has rocked the medical cannabis industry: in mid-July, security researcher Jeremiah Fowler discovered a publicly accessible and unsecured 323 GB database tied to Ohio Medical Alliance LLC (also known as Ohio Marijuana Card), revealing nearly one million highly sensitive patient records—including Social Security numbers, medical and mental health evaluations, government‑ID images, physician reports, and even offender release cards—arranged by name and accessible without a password or encryption. Fowler’s alert prompted the company to secure the database the following day, though the company provided no detailed response. Strauss Borrelli PLLC is now investigating the incident, while reports confirm the data included 957,434 unique records flagged by Ganjapreneur and others.
Sources: Ganjapreneur.com, TechBuzz, Wired
Key Takeaways
– Depth of exposure: The breach encompassed an astonishing volume of private information—Social Security numbers, medical conditions, mental health evaluations, physical and email addresses, and ID documents—posing serious risks of identity theft, discrimination, and personal harm.
– Industry-wide implications: This lapse highlights the pressing need for cannabis providers to adopt robust cybersecurity practices, as the legal cannabis sector increasingly collects protected health data without a consistent security framework.
– Lack of transparency and accountability: While access was blocked swiftly after disclosure, Ohio Medical Alliance’s minimal response and silence on the extent of the incident raise concerns about oversight, notification, and regulatory responsibility.
In-Depth
The fallout from this breach is a wake-up call: medical cannabis providers must treat patient trust as seriously as they treat data security. In Ohio, Ohio Medical Alliance LLC—doing business as Ohio Marijuana Card—left a 323 GB database completely exposed online, accessible to anyone, no password required.
Discovered by Jeremiah Fowler, it contained nearly 1 million highly sensitive records—SSNs, health diagnoses, mental health evaluations, IDs, and internal communications. Patient folders were organized by name and included files that ranged from intake paperwork to physician-certified qualifying documents, including conditions like anxiety, cancer, or HIV. A CSV file of internal “staff comments” revealed over 200,000 email addresses and updates on application statuses.
The company locked down the database within a day of being notified, yet its lukewarm response and silence do little to reassure those affected. Now Strauss Borrelli PLLC is investigating whether Ohio’s patients were wronged. This incident underscores a recurring risk: as the legal cannabis market grows, the sensitive data it gathers must be guarded with industry-standard protocols—from encryption to multi-factor authentication, regular audits, and swift, transparent incident response.
In a sector that’s still fighting for legitimacy and oversight, this kind of negligence undermines trust and could invite stricter regulation. For patients, the consequences are personal: identity theft, stigmatization, and breach of privacy. Protecting patient information isn’t optional—it’s the cornerstone of ethical healthcare, even (and especially) in evolving sectors like medical cannabis.