Nearly one million medical cannabis patients had their most sensitive personal data exposed online after Ohio Medical Alliance LLC left a massive database unsecured. The 323GB trove included Social Security numbers, mental health evaluations, physician reports, and government IDs—highlighting the privacy risks as legal cannabis expands nationwide.
A medical cannabis company in Ohio just became ground zero for one of the most sensitive healthcare data breaches in recent memory. Ohio Medical Alliance LLC, operating as Ohio Marijuana Card, left nearly one million patient records exposed on an unsecured database discovered in mid-July by security researcher Jeremiah Fowler.
The scope is staggering. The 323GB database contained Social Security numbers, mental health evaluations, physician reports documenting conditions from anxiety to HIV, and images of driver's licenses and government IDs from patients across multiple states. Even more troubling were the "offender release cards"—identification documents for recently released prisoners seeking medical marijuana cards—that Fowler discovered among the files.
"There were physicians' reports that would say what the underlying problem was—whether it was anxiety, cancer, HIV, or something else," Fowler told WIRED. "In some cases, the applicants would submit their own medical records as proof of their qualifying condition."
The breach exposes the dark side of cannabis industry growth. As legal marijuana markets explode nationwide, companies are amassing unprecedented troves of customer data, including deeply personal medical information required for medical cannabis card applications. Unlike typical retail breaches, this exposure combines financial data with protected health information—a perfect storm for identity theft and medical privacy violations.
Most files existed in PDF, JPG, and PNG formats, but a CSV document labeled "staff comments" revealed internal communications, appointment histories, and application statuses. That single file contained over 200,000 email addresses of employees, business associates, and customers—turning a data exposure into a comprehensive intelligence goldmine.
