Ohio Medical Alliance uncovered a medical marijuana affected person database containing 957,000 data, together with SSNs, IDs, well being recordsdata, and delicate inner notes.
Cybersecurity researcher Jeremiah Fowler recognized two unprotected, misconfigured databases containing practically a million data linked to Ohio Medical Alliance LLC, an organization higher recognized below its model identify Ohio Marijuana Card.
Fowler, who reported the publicity to Web site Planet, discovered that the databases had been left open with out encryption or password safety, permitting anybody with an web connection to entry names, Social Safety numbers (SSN), dates of delivery, dwelling addresses, and high-resolution photos of driver’s licenses.
The recordsdata additionally contained deeply private medical data, akin to consumption kinds, doctor certifications, and evaluations associated to situations like Publish-traumatic stress dysfunction (PTSD) and nervousness.
In line with Fowler’s report shared with Hackread.com forward of publishing, the 323 GB value of databases saved 957,434 data. Many recordsdata had been PDFs and picture codecs, neatly organized in folders labeled with affected person names.
Along with medical paperwork, one CSV file named “workers feedback” included inner notes, shopper updates, and greater than 210,000 e mail addresses belonging to sufferers, staff, and enterprise companions.
Ohio Medical Alliance LLC supplies each telemedicine and in-person companies to assist sufferers acquire physician-certified medical marijuana playing cards. In line with its web site, the corporate has supported over 330,000 sufferers nationwide and operates clinics in states together with Ohio, Arkansas, Kentucky, Louisiana, Virginia, and West Virginia.
As soon as Fowler alerted the corporate, public entry to the database was restricted the next day. Nevertheless, he obtained no direct response to his disclosure. It stays unclear whether or not the information was managed internally by Ohio Medical Alliance or by a third-party contractor. Equally regarding, there isn’t a option to decide how lengthy the knowledge was uncovered or whether or not anybody else accessed it earlier than it was secured.
The affect of such an incident is critical as a result of Info like Social Safety numbers mixed with driver’s licenses might be used for id theft or monetary fraud. Medical launch kinds might be abused to entry further healthcare data. What’s worse, psychological well being evaluations tied to sufferers’ names may expose them to discrimination or harassment if misused.
Though marijuana is now authorized for medical use in most US states, and recreationally in practically half, federal regulation nonetheless classifies it as unlawful. Many sufferers desire to maintain their use confidential, particularly when delicate situations akin to PTSD or nervousness are documented. Publicity of those particulars by way of mishandled data dangers greater than monetary hurt; it could actually have an effect on private relationships and employment.
Fowler emphasised that his work is restricted to figuring out and responsibly reporting uncovered knowledge. He doesn’t obtain or share delicate data past the minimal screenshots wanted for verification.
