A cybersecurity researcher disclosed that two unprotected, misconfigured databases tied to Ohio Medical Alliance LLC – better known as Ohio Marijuana Card – exposed 957,434 patient records in about 323 GB of data. A report by Website Planet details the breach and the scope of the exposure.
The exposed data included names, Social Security numbers, dates of birth, home addresses and high-resolution images of driver’s licenses, according to the disclosure.
Files also contained sensitive medical information, such as intake forms, physician certifications and evaluations relating to conditions like PTSD and anxiety.
A CSV file titled ‘staff comments’ contained internal notes, client updates and more than 210,000 email addresses belonging to patients, employees and business partners.
After the researcher alerted Ohio Medical Alliance, public access to the databases was restricted the following day. It is not clear whether the data were managed in-house or by a third-party contractor, and the duration of exposure remains unknown.
Ohio Medical Alliance provides telemedicine and in-person services to help patients obtain physician-certified medical marijuana cards and operates clinics in several states, including Ohio, Arkansas, Kentucky, Louisiana, Virginia and West Virginia. The company says it has supported more than 330,000 patients nationwide.
Experts warn that the combination of Social Security numbers and driver’s-license images can enable identity theft or financial fraud, and the inclusion of mental-health records could expose patients to discrimination or harassment if misused. Researchers emphasize responsible disclosure and note it remains unclear how long the data were exposed.