Highly Sensitive Medical Cannabis Patient Data Exposed by Unsecured Database

As ineligible cannabis has expanded astir nan United States for some recreational and aesculapian use, companies person amassed troves of data astir customers and their transactions. People who person applied for aesculapian marijuana cards person had to stock peculiarly individual wellness information to qualify. For immoderate patients successful Ohio who usage aesculapian weed, a caller information vulnerability could effect their delicate information.

Security interrogator Jeremiah Fowler found a publically accessible database successful mid-July that appeared to incorporate aesculapian records, intelligence wellness evaluations, expert reports, and images of IDs for illustration driver's licenses for group seeking aesculapian cannabis cards. The 323-GB trove stored adjacent to a cardinal records, including Social Security numbers, email addresses, beingness addresses, dates of birth, and aesculapian data—all organized by name.

Based connected accusation that seemed to picture circumstantial labor and business partners, Fowler suspected that nan information belonged to nan Ohio-based institution Ohio Medical Alliance LLC, which goes by nan sanction Ohio Marijuana Card. Fowler contacted nan institution connected July 14; erstwhile he checked nan database nan adjacent day, it had been secured and was nary longer publically accessible online. Fowler did not person a consequence astir his submission.

Ohio Medical Alliance did not reply WIRED's questions astir Fowler's findings. At 1 point, though, nan company's president, Cassandra Brooks, wrote successful an email: “I request clip to analyse this alleged incident. We return information information very earnestly and are looking into this matter.”

“There were physicians' reports that would opportunity what nan underlying problem was—whether it was anxiety, cancer, HIV, aliases thing else. In immoderate cases, nan applicants would taxable their ain aesculapian records arsenic proof” of their qualifying condition, Fowler tells WIRED. “I saw recognition documents from tons of states, from everywhere. And I moreover saw offender merchandise cards, which are fundamentally IDs for group who conscionable sewage retired of situation that they submitted arsenic impervious of personality to get a aesculapian marijuana card.”

Fowler says that astir of nan files successful nan database were image formats for illustration PDFs, JPGs, and PNGs. One CSV plaintext archive called “staff comments” appeared to beryllium an export of soul communications, assignment histories, notes astir clients, and exertion status. That record besides contained much past 200,000 email addresses of Ohio Medical Alliance employees, business associates, and customers.

Databases that are misconfigured and person inadvertently been near publically exposed connected nan unfastened net are a common problem online successful spite of efforts to raise consciousness astir nan correction and its privateness implications.