Ohio Medical Alliance LLC exposed two unprotected, misconfigured databases containing 957,434 records of medical marijuana patients, including Social Security numbers (SSNs), driver’s license images, home addresses, dates of birth, and deeply sensitive medical files (e.g., PTSD evaluations, physician certifications, and intake forms). The 323 GB of exposed data also included a CSV file with 210,000+ email addresses (patients, employees, business partners) and internal staff comments. The databases lacked encryption or password protection, allowing unrestricted public access until cybersecurity researcher Jeremiah Fowler reported the exposure. The breach risks identity theft, financial fraud, healthcare record abuse, and discrimination particularly severe given the federal illegality of marijuana and the sensitivity of mental health disclosures. The company restricted access after notification but provided no confirmation on whether the data was accessed by malicious actors or how long it remained exposed. Third-party involvement in data management remains unconfirmed.
Source: https://hackread.com/ssns-health-records-exposed-marijuana-patient-database/
TPRM report: https://www.rankiteo.com/company/ohio-medical
"id": "ohi500082225",
"linkid": "ohio-medical",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '957,434 records exposed',
'industry': 'medical marijuana/telemedicine',
'location': 'Ohio, USA (with clinics in Arkansas, '
'Kentucky, Louisiana, Virginia, West '
'Virginia)',
'name': 'Ohio Medical Alliance LLC (Ohio Marijuana '
'Card)',
'size': '330,000+ patients supported nationwide',
'type': 'healthcare provider'}],
'attack_vector': 'misconfigured/unprotected databases (no encryption or '
'password protection)',
'data_breach': {'data_encryption': 'no (databases were unencrypted)',
'file_types_exposed': ['PDFs',
'images (e.g., driver’s licenses)',
'CSV (e.g., staff comments)'],
'number_of_records_exposed': '957,434',
'personally_identifiable_information': ['names',
'SSNs',
'dates of birth',
'home addresses',
'driver’s license '
'images',
'email addresses'],
'sensitivity_of_data': 'extremely high (SSNs, medical '
'diagnoses, driver’s licenses, mental '
'health records)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'protected health information '
'(PHI)',
'medical records',
'internal business documents']},
'description': 'Ohio Medical Alliance (Ohio Marijuana Card) exposed two '
'unprotected, misconfigured databases containing nearly one '
'million records of medical marijuana patients, including '
'SSNs, IDs, health files, and sensitive internal notes. The '
'323 GB of data included 957,434 records with deeply personal '
'medical information, such as intake forms, physician '
'certifications, and evaluations for conditions like PTSD and '
'anxiety. The exposure was discovered by cybersecurity '
'researcher Jeremiah Fowler, who reported it to Website '
'Planet. Public access was restricted after disclosure, but '
'the duration of exposure and potential unauthorized access '
'remain unknown.',
'impact': {'brand_reputation_impact': 'high (potential loss of trust due to '
'exposure of sensitive medical and '
'personal data)',
'data_compromised': ['names',
'Social Security numbers (SSNs)',
'dates of birth',
'home addresses',
'high-resolution images of driver’s licenses',
'medical intake forms',
'physician certifications',
'mental health evaluations (e.g., PTSD, '
'anxiety)',
'internal staff comments',
'210,000+ email addresses (patients, '
'employees, business partners)'],
'identity_theft_risk': 'high (SSNs + driver’s licenses exposed)',
'legal_liabilities': 'potential (violation of HIPAA or state '
'privacy laws, federal marijuana-related '
'legal risks)',
'systems_affected': ['two unprotected databases (323 GB total)']},
'investigation_status': 'ongoing (duration of exposure and unauthorized '
'access unknown)',
'lessons_learned': ['Critical importance of access controls and encryption '
'for databases containing sensitive data.',
'Need for proactive monitoring to detect '
'misconfigurations.',
'Risks of third-party data handling (if applicable) '
'require clearer contractual obligations.',
'Medical marijuana patient data requires heightened '
'protection due to federal legal ambiguities and stigma '
'risks.'],
'post_incident_analysis': {'root_causes': ['Misconfigured databases lacking '
'password protection and '
'encryption.',
'Inadequate access controls for '
'sensitive patient data.',
'Potential lack of regular '
'security audits or monitoring.']},
'recommendations': ['Implement robust encryption and multi-factor '
'authentication for all databases.',
'Conduct regular security audits and penetration testing '
'for misconfigurations.',
'Establish a clear incident response protocol with timely '
'stakeholder communication.',
'Provide identity theft protection services to affected '
'patients.',
'Review third-party vendor security practices (if data '
'was managed externally).',
'Enhance employee training on data handling and privacy '
'compliance.'],
'references': [{'source': 'Website Planet (via Jeremiah Fowler)'},
{'source': 'Hackread.com'}],
'regulatory_compliance': {'regulations_violated': ['potential HIPAA '
'violations',
'state privacy laws']},
'response': {'containment_measures': ['restricted public access to databases'],
'incident_response_plan_activated': 'yes (access restricted '
'after researcher '
'disclosure)'},
'title': 'Ohio Medical Alliance Exposed Medical Marijuana Patient Database',
'type': ['data breach', 'misconfiguration', 'unauthorized access'],
'vulnerability_exploited': 'lack of access controls and encryption for '
'cloud-hosted databases'}