Cannabis Company May Have Leaked Nearly 1 Million Customers' Records, Suit Alleges
A breach at an Ohio firm that helps patients obtain physician-certified medical marijuana cards may have exposed the sensitive information of more than 900,000 of its customers, a law firm investigating the incident said Tuesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The law firm Schubert Jonckheer said cybersecurity researcher Jeremiah Fowler on July 14 "discovered databases originating from Ohio Marijuana Card that were not password protected or encrypted." The firm is investigating the breach on behalf of potential victims.
The databases included 210,620 email addresses of clients, employees, or business partners, as well as images of driver's licenses or identification documents that contained names, physical addresses, dates of birth, and license numbers; medical records; release forms; physician certification forms with Social Security numbers; mental health evaluations; and identification documents from multiple states, Schubert Jonckheer said. In total, unauthorized access to 957,434 records occurred, the firm added.
Ohio Marijuana Card didn't respond to a request for comment, nor is there information about the breach on its website. Similarly, no information about an investigation or the number of impacted consumers was available.
But a class-action complaint was brought in the U.S. District Court for Northern Ohio on Monday, alleging the company acted negligently, breached express and implied contract and invaded customer privacy by failing to safeguard customers' protected health information and personally identifiable information.
"According to OMA’s privacy statement, it claims that all patient information is kept confidential in their HIPAA-compliant file storage system," the complaint said. "These representations are false."
"The publicly displayed records could potentially create serious privacy and security risks in the wrong hands," the complaint added. "The publicly exposed records contain detailed personal and health information that could potentially be exploited for harassment or extortion attempts. Likewise, marijuana remains illegal under federal law, and medical or recreational marijuana use is something that many people would want to remain private," and "mental health is a deeply private issue that could be stigmatized by employers, friends, or family once publicly exposed."
The lawsuit added that while the medical alliance didn't respond to the cybersecurity researcher's notice of the incident nor did it reach out to its customers, "the database was restricted from public access the following day."