Ohio Medical Alliance uncovered a medical marijuana affected person database containing 957,000 data, together with SSNs, IDs, well being recordsdata, and delicate inside notes.
Cybersecurity researcher Jeremiah Fowler recognized two unprotected, misconfigured databases containing practically a million data linked to Ohio Medical Alliance LLC, an organization higher recognized underneath its model identify Ohio Marijuana Card.
Fowler, who reported the publicity to Web site Planet, discovered that the databases had been left open with out encryption or password safety, permitting anybody with an web connection to entry names, Social Safety numbers (SSN), dates of delivery, house addresses, and high-resolution photos of driver’s licenses.
The recordsdata additionally contained deeply private medical info, similar to consumption varieties, doctor certifications, and evaluations associated to circumstances like Submit-traumatic stress dysfunction (PTSD) and nervousness.
In keeping with Fowler’s report shared with Hackread.com forward of publishing, the 323 GB value of databases saved 957,434 data. Many recordsdata had been PDFs and picture codecs, neatly organized in folders labeled with affected person names.
Along with medical paperwork, one CSV file named “employees feedback” included inside notes, consumer updates, and greater than 210,000 e-mail addresses belonging to sufferers, workers, and enterprise companions.
Ohio Medical Alliance LLC offers each telemedicine and in-person companies to assist sufferers acquire physician-certified medical marijuana playing cards. In keeping with its web site, the corporate has supported over 330,000 sufferers nationwide and operates clinics in states together with Ohio, Arkansas, Kentucky, Louisiana, Virginia, and West Virginia.
As soon as Fowler alerted the corporate, public entry to the database was restricted the next day. Nonetheless, he obtained no direct response to his disclosure. It stays unclear whether or not the info was managed internally by Ohio Medical Alliance or by a third-party contractor. Equally regarding, there is no such thing as a solution to decide how lengthy the data was uncovered or whether or not anybody else accessed it earlier than it was secured.
The impression of such an incident is severe as a result of Data like Social Safety numbers mixed with driver’s licenses could possibly be used for identification theft or monetary fraud. Medical launch varieties could possibly be abused to entry extra healthcare data. What’s worse, psychological well being evaluations tied to sufferers’ names may expose them to discrimination or harassment if misused.
Though marijuana is now authorized for medical use in most US states, and recreationally in practically half, federal regulation nonetheless classifies it as unlawful. Many sufferers want to maintain their use confidential, particularly when delicate circumstances similar to PTSD or nervousness are documented. Publicity of those particulars by mishandled data dangers greater than monetary hurt; it may have an effect on private relationships and employment.
Fowler emphasised that his work is proscribed to figuring out and responsibly reporting uncovered information. He doesn’t obtain or share delicate data past the minimal screenshots wanted for verification.
