Ohio Marijuana Card Data Breach Exposes 957K Patient Records

Written By Matthew Reveles
 

Unencrypted 323 GB medical cannabis database exposed almost one million sensitive patient records—including SSNs and driver’s licensesUnencrypted 323 GB medical cannabis database exposed almost one million sensitive patient records—including SSNs and driver’s licenses

A massive breach of patient data tied to Ohio's medical marijuana program has brought privacy concerns in the cannabis industry to the forefront. In mid-July 2025, cybersecurity researcher Jeremiah Fowler uncovered an unsecured database containing over 957,000 records affiliated with Ohio Medical Alliance LLC, the company doing business as Ohio Marijuana Card.

Spanning 323 gigabytes, the exposed data included driver's license images, Social Security numbers, medical records, intake forms, and mental health evaluations. Particularly alarming was a CSV file labeled "staff comments," which stored internal communications and roughly 210,620 email addresses belonging to patients, employees, and third-party contacts.

Fowler reported the breach on July 14. Within a day, the database was secured, but no official public response was issued by Ohio Medical Alliance LLC. Although a representative later confirmed that an internal investigation was underway, no further comment or notification to affected individuals was made public by press time.

Responsible Disclosure and Silence in Return

Fowler, known for identifying and responsibly disclosing data vulnerabilities, initially contacted the Ohio-based company on July 14, 2025. The database—left open to the public without authentication—was locked down by July 15. Despite the quick fix, the company provided no acknowledgement of receipt or follow-up to the disclosure.

The lack of communication drew scrutiny, especially given the nature of the information exposed. The data leak covered highly personal identifiers and protected health information, all of which fall under federal privacy laws like the Health Insurance Portability and Accountability Act (HIPAA). Fowler emphasized that he found no evidence of ransomware or malicious tampering, suggesting the exposure was likely due to human error or misconfigured cloud storage.

What Was Exposed

Fowler's analysis detailed a staggering level of sensitive content:

  • Government-issued ID images from multiple U.S. states

  • Full names, dates of birth, physical addresses

  • Mental health assessments, often related to qualifying conditions like PTSD or anxiety

  • Physician-signed medical marijuana certifications

  • Social Security numbers embedded within intake forms

The staff comments file raised further concerns. It included appointment notes, internal follow-ups, and email addresses that could enable phishing or identity theft attempts. The presence of patient medical records outside a secured system underscores a critical breakdown in information governance.

Who Is Ohio Medical Alliance LLC?

Ohio Medical Alliance LLC operates under the name Ohio Marijuana Card, a major player in the state’s medical marijuana certification space. Their clinics help patients obtain recommendations from state-licensed physicians to access dispensaries under Ohio law.

Following the breach, the company has remained publicly silent. Internal sources later confirmed to Wired that a probe had begun, but the absence of a public statement or patient notifications suggests either legal uncertainty or institutional hesitation. Either way, the stakes for patient trust and organizational accountability are high.

Why This Breach Matters

Data breaches are not rare, but breaches involving medical cannabis patients introduce unique and often overlooked risks. Patients seeking cannabis treatment often do so for conditions still stigmatized in public discourse—mental health disorders, chronic pain, or terminal illness. The exposure of their information opens the door not only to identity theft, but also discrimination, employment risk, and emotional harm.

Moreover, medical cannabis companies occupy a legal gray area. Though authorized at the state level, they remain federally illegal enterprises, creating regulatory inconsistencies. HIPAA may not always fully apply, especially if a company isn’t deemed a covered entity under federal definitions. This regulatory ambiguity can leave patients with little recourse in the wake of data breaches.

It also reflects a systemic problem: cloud infrastructure misconfigurations are a leading cause of unintentional data exposure. In 2024 alone, security firms documented more than 1,200 breaches caused by unsecured databases across various sectors. What makes the Ohio Marijuana Card incident different is the volume of healthcare-grade information and the vulnerable population it affects.

Next Steps and Legal Ramifications

Ohio Medical Alliance may be required to notify affected individuals under state data breach laws. Legal experts suggest the breach could trigger scrutiny from both HIPAA regulators and Ohio's attorney general. Already, law firms like Federman & Sherwood and Strauss Borrelli PLLC have launched investigations to assess liability and pursue potential class-action litigation.

Patients are being urged to monitor their credit reports, change email passwords, and be alert for phishing scams. These are precautionary steps, but they do little to address the core concern: an organization trusted with medical information failed to secure it.

Equally important is what this means for broader cannabis regulation. As the sector matures, medical marijuana programs increasingly resemble traditional healthcare in both structure and data handling. Regulators and lawmakers must respond accordingly, enforcing security standards that reflect the sensitivity of medical cannabis records.

What Cannabis Clinics Must Do Now

This breach should serve as a wake-up call for all healthcare-adjacent organizations in the cannabis space. As certification providers and dispensaries digitize operations, they must implement the same security protocols as any hospital or medical office.

That means encrypting sensitive data both at rest and in transit, conducting regular security audits and compliance checks, ensuring that cloud storage is configured with proper access controls and authentication, and training staff on cybersecurity best practices.

The Marijuana Doctor, which provides medical marijuana evaluations and certifications in Arizona, has long advocated for patient privacy and transparent practices. As part of its onboarding process, The Marijuana Doctor ensures that patient data is encrypted, access-restricted, and never stored in publicly accessible systems. It’s a protocol that should be industry standard.

Patient Trust Requires More Than Compliance

The Ohio Marijuana Card breach highlights how data negligence in the medical marijuana sector can cause serious, wide-ranging harm. It underscores the urgent need for better cybersecurity practices, clearer regulations, and a cultural shift toward respecting patient data with the same seriousness afforded in traditional healthcare.

Patients entrust certification providers with deeply personal information. That trust is foundational. Without it, the promise of medical cannabis—relief, wellness, autonomy—is compromised. This incident should mark a turning point: data security is no longer optional. It’s a moral and operational imperative for every entity in the cannabis care chain.


***

Marijuana Doctor is your premier destination for seamless medical marijuana licensing. Our compassionate team guides you with expertise, ensuring a smooth process. Discover the therapeutic benefits in a supportive environment that prioritizes your well-being.

Join a community championing alternative healing methods for a healthier life. Choose Marijuana Doctor for personalized, patient-centered care, and step into a revitalized future.

Follow us on Instagram!

 
Matthew Reveles
Next

Rethinking the Dispensary: A Psychology-Backed Approach to Cannabis Retail