As authorized hashish has expanded round america for each leisure and medical use, corporations have amassed troves of knowledge about prospects and their transactions. Individuals who have utilized for medical marijuana playing cards have needed to share significantly private well being knowledge to qualify. For some sufferers in Ohio who use medical weed, a current knowledge publicity might impression their delicate info.
Safety researcher Jeremiah Fowler discovered a publicly accessible database in mid-July that appeared to include medical data, psychological well being evaluations, doctor experiences, and pictures of IDs like driver’s licenses for individuals in search of medical hashish playing cards. The 323GB trove saved near 1,000,000 data, together with Social Safety numbers, electronic mail addresses, bodily addresses, dates of start, and medical knowledge—all organized by identify.
Based mostly on info that appeared to explain particular workers and enterprise companions, Fowler suspected that the information belonged to the Ohio-based firm Ohio Medical Alliance LLC, which fits by the identify Ohio Marijuana Card. Fowler contacted the corporate on July 14; when he checked the database the following day, it had been secured and was not publicly accessible on-line. Fowler didn’t obtain a response about his submission.
Ohio Medical Alliance didn’t reply WIRED’s questions on Fowler’s findings. At one level, although, the corporate’s president, Cassandra Brooks, wrote in an electronic mail: “I want time to analyze this alleged incident. We take knowledge safety very severely and are wanting into this matter.”
“There have been physicians’ experiences that will say what the underlying drawback was—whether or not it was nervousness, most cancers, HIV, or one thing else. In some circumstances, the candidates would submit their very own medical data as proof” of their qualifying situation, Fowler tells WIRED. “I noticed identification paperwork from plenty of states, from in all places. And I even noticed offender launch playing cards, that are principally IDs for individuals who simply acquired out of jail that they submitted as proof of id to get a medical marijuana card.”
Fowler says that many of the information within the database had been picture codecs like PDFs, JPGs, and PNGs. One CSV plaintext doc known as “employees feedback” gave the impression to be an export of inner communications, appointment histories, notes about purchasers, and software standing. That file additionally contained extra then 200,000 electronic mail addresses of Ohio Medical Alliance workers, enterprise associates, and prospects.
Databases which might be misconfigured and have inadvertently been left publicly uncovered on the open web are a frequent drawback on-line regardless of efforts to boost consciousness concerning the mistake and its privateness implications.