As authorized hashish has expanded round the USA for each leisure and medical use, firms have amassed troves of data about clients and their transactions. Individuals who have utilized for medical marijuana playing cards have needed to share significantly private well being knowledge to qualify. For some sufferers in Ohio who use medical weed, a latest knowledge publicity may affect their delicate data.
Safety researcher Jeremiah Fowler found a publicly accessible database in mid-July that appeared to comprise medical data, psychological well being evaluations, doctor reviews, and pictures of IDs like driver’s licenses for individuals looking for medical hashish playing cards. The 323GB trove saved near one million data, together with Social Safety numbers, electronic mail addresses, bodily addresses, dates of delivery, and medical knowledge—all organized by title.
Primarily based on data that appeared to explain particular staff and enterprise companions, Fowler suspected that the information belonged to the Ohio-based firm Ohio Medical Alliance LLC, which fits by the title Ohio Marijuana Card. Fowler contacted the corporate on July 14; when he checked the database the following day, it had been secured and was now not publicly accessible on-line. Fowler didn’t obtain a response about his submission.
Ohio Medical Alliance didn’t reply WIRED’s questions on Fowler’s findings. At one level, although, the corporate’s president, Cassandra Brooks, wrote in an electronic mail: “I would like time to research this alleged incident. We take knowledge safety very critically and are trying into this matter.”
“There have been physicians’ reviews that will say what the underlying drawback was—whether or not it was nervousness, most cancers, HIV, or one thing else. In some instances, the candidates would submit their very own medical data as proof” of their qualifying situation, Fowler tells WIRED. “I noticed identification paperwork from a lot of states, from in all places. And I even noticed offender launch playing cards, that are mainly IDs for individuals who simply received out of jail that they submitted as proof of id to get a medical marijuana card.”
Fowler says that a lot of the recordsdata within the database have been picture codecs like PDFs, JPGs, and PNGs. One CSV plaintext doc known as “employees feedback” seemed to be an export of inside communications, appointment histories, notes about shoppers, and software standing. That file additionally contained extra then 200,000 electronic mail addresses of Ohio Medical Alliance staff, enterprise associates, and clients.
Databases which might be misconfigured and have inadvertently been left publicly uncovered on the open web are a common drawback online regardless of efforts to lift consciousness in regards to the mistake and its privateness implications.
