Highly Sensitive Medical Cannabis Patient Data Exposed by Unsecured Database

As ineligible cannabis has expanded astir the United States for some recreational and aesculapian use, companies person amassed troves of data astir customers and their transactions. People who person applied for aesculapian marijuana cards person had to stock peculiarly idiosyncratic wellness information to qualify. For immoderate patients successful Ohio who usage aesculapian weed, a caller information vulnerability could interaction their delicate information.

Security researcher Jeremiah Fowler found a publically accessible database successful mid-July that appeared to incorporate aesculapian records, intelligence wellness evaluations, doc reports, and images of IDs similar driver's licenses for radical seeking aesculapian cannabis cards. The 323GB trove stored adjacent to a cardinal records, including Social Security numbers, email addresses, carnal addresses, dates of birth, and aesculapian data—all organized by name.

Based connected accusation that seemed to picture circumstantial employees and concern partners, Fowler suspected that the information belonged to the Ohio-based institution Ohio Medical Alliance LLC, which goes by the sanction Ohio Marijuana Card. Fowler contacted the institution connected July 14; erstwhile helium checked the database the adjacent day, it had been secured and was nary longer publically accessible online. Fowler did not person a effect astir his submission.

Ohio Medical Alliance did not reply WIRED's questions astir Fowler's findings. At 1 point, though, the company's president, Cassandra Brooks, wrote successful an email: “I request clip to analyse this alleged incident. We instrumentality information information precise earnestly and are looking into this matter.”

“There were physicians' reports that would accidental what the underlying occupation was—whether it was anxiety, cancer, HIV, oregon thing else. In immoderate cases, the applicants would taxable their ain aesculapian records arsenic proof” of their qualifying condition, Fowler tells WIRED. “I saw recognition documents from tons of states, from everywhere. And I adjacent saw offender merchandise cards, which are fundamentally IDs for radical who conscionable got retired of situation that they submitted arsenic impervious of individuality to get a aesculapian marijuana card.”

Fowler says that astir of the files successful the database were representation formats similar PDFs, JPGs, and PNGs. One CSV plaintext papers called “staff comments” appeared to beryllium an export of interior communications, assignment histories, notes astir clients, and exertion status. That record besides contained much past 200,000 email addresses of Ohio Medical Alliance employees, concern associates, and customers.

Databases that are misconfigured and person inadvertently been near publically exposed connected the unfastened net are a common occupation online successful spite of efforts to rise consciousness astir the mistake and its privateness implications.