Privacy Firm Finds Unsecured Cannabis Patient Information

An internet privacy firm says it was able to access private personal information of more than 30,000 medical marijuana patients, recreational pot customers or dispensary employees in several states.

The privacy firm was searching for unsecured data online and says the database has now been secured.

The privacy firm, vpnMentor, said in a report posted on its website that Seattle-based software firm THSuite had failed to encrypt or secure the data, which was stored in the cloud via Amazon Web Services. It discovered the breach Dec. 24, and the database was closed Jan. 14.

THSuite did not return an email seeking comment Thursday. The company provides point-of-sale software for the cannabis industry that can integrate with state-mandated marijuana tracking systems.

Among the dispensaries with unsecured customer and employee information were Amedicanna, a marijuana dispensary in Maryland, and Bloom Medicinals, with several locations in Ohio, the privacy firm said. A recreational pot retailer in Colorado, Colorado Grow Company, was also affected, though it wasn’t clear if customer information was involved.

Among the unsecured patient information were full names, birth dates, and signatures as well as street and email addresses. There was also information about dispensary inventory, sales and employee names, the privacy firm said.

VpnMentor said it only checked a small sample of the records, and it’s certain that many more dispensaries could have the same problem. “It’s possible that all THSuite clients and their customers were involved,” it said.

The privacy firm said the breach could raise issues regarding patient privacy under federal law.