Ohio Medical Alliance exposed a medical marijuana patient database containing 957,000 records, including SSNs, IDs, health files, and sensitive internal notes.
Cybersecurity researcher Jeremiah Fowler identified two unprotected, misconfigured databases containing nearly one million records linked to Ohio Medical Alliance LLC, a company better known under its brand name Ohio Marijuana Card.
Fowler, who reported the exposure to Website Planet, found that the databases were left open without encryption or password protection, allowing anyone with an internet connection to access names, Social Security numbers (SSN), dates of birth, home addresses, and high-resolution images of driver’s licenses.
The files also contained deeply personal medical information, such as intake forms, physician certifications, and evaluations related to conditions like Post-traumatic stress disorder (PTSD) and anxiety.
According to Fowler’s report shared with Hackread.com ahead of publishing, the 323 GB worth of databases stored 957,434 records. Many files were PDFs and image formats, neatly organized in folders labeled with patient names.
In addition to medical documents, one CSV file named “staff comments” included internal notes, client updates, and more than 210,000 email addresses belonging to patients, employees, and business partners.
Ohio Medical Alliance LLC provides both telemedicine and in-person services to help patients obtain physician-certified medical marijuana cards. According to its website, the company has supported over 330,000 patients nationwide and operates clinics in states including Ohio, Arkansas, Kentucky, Louisiana, Virginia, and West Virginia.
Once Fowler alerted the company, public access to the database was restricted the following day. However, he received no direct response to his disclosure. It remains unclear whether the data was managed internally by Ohio Medical Alliance or by a third-party contractor. Equally concerning, there is no way to determine how long the information was exposed or whether anyone else accessed it before it was secured.
The impact of such an incident is serious because Information like Social Security numbers combined with driver’s licenses could be used for identity theft or financial fraud. Medical release forms could be abused to access additional healthcare records. What’s worse, mental health evaluations tied to patients’ names could expose them to discrimination or harassment if misused.
Although marijuana is now legal for medical use in most US states, and recreationally in nearly half, federal law still classifies it as illegal. Many patients prefer to keep their use confidential, especially when sensitive conditions such as PTSD or anxiety are documented. Exposure of these details through mishandled records risks more than financial harm; it can affect personal relationships and employment.
Fowler emphasized that his work is limited to identifying and responsibly reporting exposed data. He does not download or share sensitive records beyond the minimum screenshots needed for verification.
