Dispensary Data Breach Introduces Unique Problems for Cannabis Patients


Amedicanna in Halethorpe, Maryland was one of three dispensaries in the United States affected by a data breach, according to a report by internet privacy researchers and “ethical hackers” vpnMentor. The data breach consisted of information stored by THSuite, “a point-of-sale system in the cannabis industry,” and was discovered on December 24 when vpnMentor found THSuite’s Amazon cloud storage because, the report titled “Cannabis Users’ Sensitive Data Exposed in Data Breach” explained, it “was completely unsecured and unencrypted.” 

Exposed data included the personal information of 30,000 different people who have used Amedicanna, Bloom Medicinals (which has five locations in Ohio), and Colorado Grow Company in Durango, CO. Because vpnMentor only looked at a sampling of the vast amount of data, its research team said that other dispensaries could have also been affected.

Specifically, Amedicanna patients’ exposed personal information includes full name, phone number, street address, date of birth, medical/state identification number, cannabis gram limit, and personal signature. The exposed data also allowed vpnMentor to look at sales information that included name and medical identification number, the kind of cannabis purchased, the quantity, the cost, the date purchased, and the name of the Amedicanna employee who made the transaction.

A data breach, vpnMentor explained, also puts dispensary owners at a business disadvantage. The data could give other dispensaries access to patient data and dispensary inventory, and enables other dispensaries to “take advantage of [a data breach] to improve their pricing strategy and product offerings [and] use leaked customer information to create targeted ad campaigns.”

The Health Insurance Portability and Accountability Act (HIPPA) makes it a federal crime for a health service provider to expose health information that should be protected and could be used to identify an individual. One significant piece of personal information that was not exposed by this breach is a patient’s specific health conditions, though only because state regulations prevent dispensaries from having access to that information at all. But information such as a gram limit or even the kind of cannabis purchased could enable someone looking through the data to surmise details about a patient’s symptoms. 

Simply being in the database identifies the patient as a medicinal cannabis patient and so, the medicine prescribed has been made public by virtue of a patient going to a purveyor of that medicine, a dispensary. In contrast, if for example, the personal information from a pharmacy’s database were exposed (but not the symptoms or medicine prescribed) all that could be gleaned from that information is that a patient has been prescribed medicine of some kind. 

In that sense, exposing medicinal cannabis patients’ data is troubling in a unique way. Cannabis is still illegal under federal law, so this data breach is essentially, a list of people violating federal law. And many employers and in general elements of the culture still discriminate against people who use cannabis. “Customers and patients may face consequences at work due to their cannabis use being exposed. Some could even lose their jobs, especially if they work for a federal agency,” vpnMentor’s report said. “Even without the legal risks, there’s still a stigma surrounding marijuana use. Individuals may suffer backlash if their families, friends, and colleagues find out that they use cannabis.”

Karen Gullo of the Electronic Frontier Foundation (EFF), a nonprofit focused on digital privacy, told The Outlaw Report that while EFF could not comment directly on the Amedicanna data breach without looking into it further, the privacy concerns this data breach introduced should move custumers and patients to demand more protection.

“Companies that store consumers’ personal information—often without their knowledge—have an obligation to protect it. If they don’t, they should pay for the harm that ensues,” Gullo said. “After years of privacy scandals, technology users want better consumer privacy protections. That’s why we need strong consumer privacy laws that require companies to use best practices and exercise care to protect user information as a matter of course, not after a data breach occurs.”

Alex Howe of Harvest Health & Recreation, Inc., the medicinal cannabis firm working with Amedicanna told The Outlaw Report that Amedicanna is aware of the data breach and looking into it. 

“Matters of privacy and protection of our patient records are of utmost importance at Harvest,” Howe said. “Our cybersecurity team is actively investigating the situation, which will allow us to take appropriate steps.”

Image via vpnMentor.


Featured Business Member: