Nearly one million medical cannabis patients had their most sensitive personal data exposed online after Ohio Medical Alliance LLC left a massive database unsecured. The 323GB trove included Social Security numbers, mental health evaluations, physician reports, and government IDs—highlighting the privacy risks as legal cannabis expands nationwide.
A medical cannabis company in Ohio just became ground zero for one of the most sensitive healthcare data breaches in recent memory. Ohio Medical Alliance LLC, operating as Ohio Marijuana Card, left nearly one million patient records exposed on an unsecured database discovered in mid-July by security researcher Jeremiah Fowler.
The scope is staggering. The 323GB database contained Social Security numbers, mental health evaluations, physician reports documenting conditions from anxiety to HIV, and images of driver's licenses and government IDs from patients across multiple states. Even more troubling were the "offender release cards"—identification documents for recently released prisoners seeking medical marijuana cards—that Fowler discovered among the files.
"There were physicians' reports that would say what the underlying problem was—whether it was anxiety, cancer, HIV, or something else," Fowler told WIRED. "In some cases, the applicants would submit their own medical records as proof of their qualifying condition."
The breach exposes the dark side of cannabis industry growth. As legal marijuana markets explode nationwide, companies are amassing unprecedented troves of customer data, including deeply personal medical information required for medical cannabis card applications. Unlike typical retail breaches, this exposure combines financial data with protected health information—a perfect storm for identity theft and medical privacy violations.
Most files existed in PDF, JPG, and PNG formats, but a CSV document labeled "staff comments" revealed internal communications, appointment histories, and application statuses. That single file contained over 200,000 email addresses of employees, business associates, and customers—turning a data exposure into a comprehensive intelligence goldmine.
Fowler contacted Ohio Medical Alliance on July 14. The database vanished from public access the next day, but company president Cassandra Brooks offered only a terse response: "I need time to investigate this alleged incident. We take data security very seriously and are looking into this matter." The company hasn't responded to further inquiries about the breach's scope or patient notifications.
This incident highlights a brewing crisis in cannabis data security. Medical marijuana patients must disclose intimate health details to qualify for cards, creating rich datasets that criminal organizations increasingly target. Misconfigured databases exposing sensitive information have become a common cybersecurity failure, but healthcare data breaches carry enhanced legal penalties and reputational damage.
The timing couldn't be worse for cannabis companies seeking legitimacy. As the industry pushes for federal legalization and banking access, security incidents like this fuel regulatory skepticism and could trigger enhanced oversight requirements. State cannabis regulators are already scrutinizing data handling practices, and this breach may accelerate mandatory cybersecurity standards.
For the nearly one million affected patients, the implications are severe. Medical cannabis stigma persists in many communities, making exposed health conditions potentially damaging to careers and relationships. Combined with Social Security numbers and addresses, this data enables sophisticated identity theft campaigns targeting a vulnerable population already operating in legal gray areas.
The Ohio Medical Alliance breach represents more than just another data exposure—it's a warning shot for an industry handling uniquely sensitive information without adequate safeguards. As cannabis legalization accelerates, companies must recognize that patient trust, built on promises of discretion and medical privacy, can evaporate overnight through basic security failures. The nearly one million affected patients now face potential identity theft, medical discrimination, and privacy violations that could follow them for years, all because a database was left unsecured on the open internet.
