Patient ID breached at Ohio pot shop
Cannabis company has location in Butler County as probe continues.
— An Ohio medical marijuana dispensary is investigating whether patient identities have been revealed in a data breach that may affect 30,000 people nationwide.
Researchers for a company known as vpnMentor discovered the alleged breach Dec. 24 in THSuite, a point-of-sale system used in the cannabis industry. The researchers said Wednesday that
Bloom Medicinals’ patient information was exposed, along with information from dispensaries in Maryland and Colorado.
Bloom Medicinals has dispensaries in Akron, Columbus, Painesville Twp., Maumee and Seven Mile in Butler County. The internet researchers called the breach serious. In addition to potential identify theft, a patient’s reputation is at risk, as there remains a stigma associated with the drug.
According to vpnMentor, Bloom Medicinals’ inventory, monthly sales reports and compliant reports were exposed.
Also exposed were patients’ full names, birth dates, medical and state identifications and expiration dates, phone numbers, email addresses, street addresses, initial dates of purchase, whether the patients are considered indigent and received assistance in the medical marijuana program and whether they opted for text notifications from the store, vpnMentor said.
“We were able to view the dispensary’s monthly sales, discounts, returns, and taxes paid,” vpnMentor’s website states. “The sales were further broken down by payment method and product type.”
The company is aware that its technology vendor experienced a data breach, and it may have affected some patients.
“We’re working closely with our technology vendor to identify which, if any, Bloom Medicinal patients have been affected,” according to a company statement. “Once we have identified any affected patients, we will notify each individual and follow all HIPPA breach notification requirements.”
Since Jan. 16, 2019, when the first dispensaries opened in Ohio, thousands of patients have found relief, but growing pains remain.
Bloom Medicinals’ dispensaries are the only ones in the state that use the THSuite, said Cameron McNamee, a spokesman for the Ohio Board of Pharmacy, which regulates medical marijuana.
“The Board takes any breach of data security and private patient information very seriously,” he said in an email Wednesday night. “The Board cannot comment at this time, but is looking into this issue.”