Medical marijuana company sued after 1M records leaked online

A class action lawsuit has been filed against a company that helps patients in six states to obtain their medical marijuana cards and schedules appointments with certified physicians. The case comes after a cybersecurity researcher discovered a massive data trove online linked to the organization. 

The complaint was filed in Ohio against Ohio Medical Alliance, doing business as Ohio Medical Card. However, the same group operates in Arkansas, Kentucky, Louisiana, Virginia and West Virginia, with each state having a separate web portal for patients.

The plaintiffs allege that Ohio Medical Card failed to secure sensitive data, including protected health information, as it was discovered online by Jeremy Fowler, a cybersecurity investigator writing for Website Planet. Fowler released his report in August, claiming he discovered a publicly accessible database online containing 323 GB of unencrypted data, including 957,434 patient records.

Those records, Fowler said, contained details on patient diagnoses, complete with mental health exams, along with personal documents that identified the individuals seeking medical marijuana cards. Fowler added that the trove was not so much as protected by a password.

“In a limited sampling of the exposed records, I saw documents that included high-resolution images of driver’s licenses or identification documents that contained names, physical addresses, dates of birth, and license numbers,” he wrote. “The folders were labeled with the first and last names of the patients and contained intake forms, medical records, release forms, physician certification forms with Social Security numbers, mental health evaluations, and identification documents from multiple states.”

Redacted, high-resolution screenshots were posted of driver’s licenses, medical questionnaires and internal emails. Fowler said 210,620 email addresses were easily visible in the documents. 

He identified the data as belonging to Ohio Medical Alliance; however, it remains unclear if it was the source of the leak, or if the trove came from a contractor. Fowler added that he could not confirm how long the database had been exposed to the Internet before he was able to find it in July. 

At that time, he wrote that he notified the company—something that James Jindra, the lead plaintiff in the case, mentioned in the court filing. 

Jindra is a client of Ohio Medical Card. He maintains that the business failed to notify him—or anyone else—about the data leak, despite the risks of it being used for identity theft. He accuses it of failing to implement adequate security measures. 

Subscribe to Health Exec News

Company denies it was notified in July

In a Sept. 22 notice posted on all of its websites, Ohio Medical Card acknowledged the “data incident” and confirmed that it was contacted about Fowler gaining access. However, it claimed the notice came in on Aug. 15, not in July. 

“In response, we took immediate action to begin securing the system and investigate the event, which included engaging third-party specialists to assist with determining the nature and scope of the incident,” the statement reads. “The investigation determined that certain parts of an Ohio Medical Alliance database were inadvertently left accessible by a third-party vendor while making changes to the database.”

“However, the investigation did not identify any evidence that information within the database was impacted beyond the limited information viewed or copied by the individual who contacted us,” the company added, confirming that it will offer all impacted individuals identity protection services free of charge. 

Notably, Fowler’s report was published on Aug. 19. 

In the lawsuit, which has been given class action status, Jindra is asking the court to ensure Ohio Medical Alliance secures its data and is held accountable as a HIPAA-covered entity. According to its website, the organization represents over 330,000 patients. 

It’s not clear if and when litigation proceedings will move forward.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Subscribe to Health Exec News

Subscribe to Health Exec News