Data breach exposes medical pot patients
Patient data from an Ohio dispensary was leaked online.
One Ohio medical marijuana dispensary was exposed in a national data breach leaking personally identifiable information for more than 30,000 people.
Bloom Medicinals, which operates five dispensaries in Ohio, was one of three cannabis companies identified in a Wednesday report revealing a recent leak involving THSuite, which provides point-of-sale systems to cannabis stores.
Internet researchers at vpnMentor were able to see patient and sales data, as well as dispensary compliance reports. Specifically, they were able to see patients’ names, date of birth, phone number, email address, street address, date of first purchase and whether or not the patient received financial assistance for purchases.
Researchers said patients could be harmed by having their identity leaked because marijuana remains illegal on the federal level and there is a stigma around its use.
They also found records of the dispensary’s monthly sales and discounts and of each product’s supplier and price
Bloom has locations in Akron, Columbus, Maumee, Painesville and Seven Mile, in Butler County.
A Bloom spokesman said the company is investigating the matter and working with THSuite to identify which, if any, Ohio patients were affected.
“Once we have identified any affected patients, we will notify each individual and follow HIPAA breach notification protocols,” the company said in a statement. “Bloom Medicinals serves tens of thousands of patients in multiple states and we take patient privacy very seriously. Rest assured we will implement any corrective action necessary to both remedy, and ensure, this does not happen again.”
Two other businesses AmediCanna Dispensary in Maryland and Colorado Grow Company - were identified in the breach but more could be affected.
Bloom is the only Ohio dispensary that uses THSuite, according to the Ohio Board of Pharmacy. A board spokeswoman deferred additional questions to Bloom.
“The Board takes any breach of data security and private patient information very seriously,” spokeswoman Ali Simon said in an email. “The Board cannot comment at this time, but is looking into this issue.”
The leaked data - more than 85,000 files - were discovered on Dec. 24, 2019. THSuite was notified of the leak on Dec. 26 and it closed on Jan. 14, according to vpnMentor.
State rules prohibit sharing “patient-specific dispensary transactions.” Dispensaries also must use electronic records systems that guarantee confidentiality. The researchers warned people could be vulnerable to phone or email phishing attacks, where scammers trick people into giving more personal information.