Cybersecurity researcher Jeremiah Fowler uncovered a massive data exposure affecting an Ohio-based medical marijuana provider.
An unencrypted and unprotected database containing 957,434 records was found publicly accessible. The database appears to belong to Ohio Medical Alliance LLC (OMA), which operates under the brand Ohio Marijuana Card and provides telemedicine and in-person evaluations to help patients obtain physician-certified medical marijuana cards.
The exposed database, totaling 323 GB, contained sensitive personal and medical information, including scanned driver’s licenses, Social Security numbers, medical intake forms, physician certifications, release forms, and mental health evaluations. A CSV file labeled “staff comments” included more than 210,000 email addresses along with internal notes about patients, appointments, and personal situations. Files were in PDF, JPG, and PNG formats and organized in folders named after patients.
The database was secured shortly after the exposure was discovered. It remains unclear how long the data was publicly accessible or whether anyone else accessed it. It is also unknown whether OMA managed the database directly or through a third-party contractor.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
