Medical Marijuana Data Breach
The Ohio Medical Alliance LLC (OMA), known publicly as Ohio Marijuana Card, suffered a major data exposure that left nearly one million records publicly accessible online without encryption or password protection. The unsecured databases, totaling 323 gigabytes, contained 957,434 files including scans of state-issued IDs, intake forms, physician certifications listing Social Security numbers, release forms, and detailed mental health evaluations. Patient folders were labeled with names, and many documents revealed medical diagnoses and the reasons individuals sought medical marijuana prescriptions.
In addition to medical and identification documents, one spreadsheet labeled “staff comments” exposed an estimated 210,620 email addresses belonging to patients, employees, and business partners. The file also included internal notes about client appointments, personal circumstances, and communications between staff. These records represented not only sensitive health information but also personal identifiers that could be exploited for identity theft, fraud, or discrimination, especially given the stigma still attached to cannabis use in some regions.
The breach was secured the day after it was reported through a responsible disclosure notice, though OMA did not issue any public response. It remains unclear whether the exposed databases were directly managed by OMA or a third-party vendor, or how long the information was left unprotected. With OMA claiming to have served more than 330,000 patients nationwide under HIPAA-compliant systems, the exposure highlights serious concerns about privacy, compliance, and patient trust in the rapidly growing medical marijuana industry.
About The Author
