One million health records exposed in medical marijuana data breach

Cybersecurity researcher Jeremiah Fowler discovered an unencrypted and non-password-protected database containing 957,434 records.

The database belongs to Ohio Medical Alliance, a company better known as Ohio Marijuana Card that provides drugs for medicinal purposes to over 330,000 patients in six states, including Ohio, Arkansas, Kentucky, Louisiana, Virginia, and West Virginia.

Because the database wasn’t encrypted and password-protected, anyone with an internet connection could have accessed sensitive personal and medical information. The database contained 957,434 records with a total size of 323GB.

According to Fowler, who reported his findings to Website Planet, the majority of the files were in PDF, JPG, or PNG formats. These high-resolution documents contained information such as patient names, dates of birth, home addresses, copies of driver’s licenses, and social security numbers.

In addition, medical documents were up for grabs, including intake and evaluation papers, mental health evaluations, medical release forms, physician certification forms, and healthcare records containing private health details.

Furthermore, the database contained one CSV file named “staff comments.” This file contained a large amount of internal communications between healthcare professionals and included notes about patients, appointments, status updates, or personal situations. The document also contained 210,620 email addresses of clients, internal employees, and business partners.

Fowler notified Ohio Medical Alliance by sending a responsible disclosure notice. The database was restricted from public access the next day, but he never received any reply to his discovery. It remains unclear how long the database was exposed and if anyone else has gained access to it.

The personal and medical information that was stored in the database could pose serious privacy and security risks. In the wrong hands, these records could be used for identity theft, medical fraud, phishing, or other scams.

That’s why the law requires strict privacy and security standards for the handling, storage, and sharing of health information by healthcare providers, clinics, and other healthcare institutions.