Highly Sensitive Medical Cannabis Patient Data Exposed by Unsecured Database
An unsecured 323-GB database at Ohio Medical Alliance LLC exposed nearly 1 million medical cannabis patient records, including Social Security numbers, IDs, medical files, and emails—creating severe risks of identity theft, phishing, and misuse of sensitive health data.
Article reports on a major data exposure incident involving Ohio Medical Alliance LLC (also known as Ohio Marijuana Card). A 323-GB publicly accessible database contained nearly 1 million records belonging to medical cannabis card applicants.
Specific Types of Data Leaked
- Social Security numbers
- Government-issued identification documents (e.g. driver’s licenses, offender release cards)
- Medical records, physician reports, mental health evaluations
- ID images in PDF, JPG, PNG formats
- Email addresses—over 200,000 addresses belonging to employees, customers, business associates
- Physical addresses
- Dates of birth
- Medical details, including underlying conditions such as anxiety, cancer, HIV
- Internal plaintext CSV labeled “staff comments” with internal communications, appointment histories, client notes, application statuses
Who Is Affected
Almost 1 million individuals who applied for medical cannabis cards through Ohio Medical Alliance LLC. Records include highly personal and identifying information tied to medical history and identity.
Recommended Actions for Affected Individuals
- Monitor credit reports and financial accounts for suspicious activity owing to exposure of SSNs and dates of birth.
- Watch for phishing attempts or identity-theft schemes using leaked email addresses, personal details, or health-related context.
- Secure all online accounts with strong, unique passwords and enable two-factor authentication (2FA) where possible.
- Contact Ohio Medical Alliance LLC to seek clarity on whether the incident triggered breach notification responsibilities, and request any remediation support (e.g. credit monitoring or identity protection services if offered).
- File any required breach reports with relevant regulatory bodies (e.g. state attorney general’s office or the FTC where applicable).
Context and Risk
Database misconfiguration remains a widespread threat despite increased awareness. Exposure of such sensitive health information—including mental-health evaluations and physician reports—amplifies risk of identity theft, targeted phishing, reputational harm, and potential discrimination based on medical status. Significance of securing healthcare and cannabis-related data cannot be overstated.
Sign-up for Reklaim Protect at https://protect.reklaimyours.com to help subscribers enhance control over online data privacy and reduce risk of exposure.
