HomeNewsMedical Cannabis Patient Information Security In The Spotlight

Medical Cannabis Patient Information Security In The Spotlight

By Steven Gothrinet
Medical cannabis and cyber security

A cyber security researcher has provided details of a huge medical cannabis patient database that he claims was publicly accessible.

As medical cannabis programs proliferate around the world, so too does the amount of related sensitive patient information stored in online databases. Some are better protected than others, and in a worst case scenario, not at all.

Jeremiah Fowler is an experienced cyber security researcher, technologist, and journalist claiming to have discovered thousands of data breaches across various sectors over the past decade or so.

Fowler recently wrote about an unencrypted and non-password-protected database he states he discovered belonging to an Ohio-based organisation involved in assisting patients acquire marijuana ID cards. The database reportedly contained 957,434 records.

Mr. Fowler says he sighted:

  • High-resolution images of driver’s licenses.
  • Identification documents that contained names, physical addresses, date of birth, and license numbers.
  • Intake forms.
  • Medical records.
  • Release forms.
  • Physician certification forms with Social Security Numbers.
  • Mental health evaluations.
  • Identification documents from multiple states.

Fowler says he sent a responsible disclosure notice to the organisation involved. While he received no reply, the database was restricted from public access the following day.

“Companies and organizations that collect and store potentially sensitive documents (like patient information and health data) should take additional security measures to prevent unauthorized access and accidental data exposures,” he says.

Among his recommendations:

  • Use encryption.
  • Password protect PDF files.
  • Don’t store all data in one place.
  • Isolate records not in active use.
  • Use role-based permissions and time-restricted access to sensitive files.
  • Proper training on security issues such as data privacy, data protection, and phishing awareness.

Fowler notes that generally speaking, medical health and mental health records are protected under the Health Insurance Portability and Accountability Act (HIPAA) in the USA, which has strict privacy and security standards.

“There are mixed messages regarding HIPAA coverage and the medical cannabis industry, but when individual employees of HIPAA-covered entities access PHI, they are subject to HIPAA’s privacy and security rules,” he says.

Such incidents are particularly unsettling for patients given the sensitive nature of their information — and what could be done with it. So, patients should not only be concerned about service/product quality before signing up with a provider; but also make enquiries as to the general nature of their information security.

Previous article
Australian Hemp Industry Inquiry Invites Submissions
Steven Gothrinet
Steven Gothrinet has been part of the Hemp Gazette in-house reporting team since 2015. Steven's broad interest in cannabis was initially fueled by the realisation of industrial hemp's versatility across multiple sectors. You can contact Steve here.
RELATED ARTICLES

Most Popular

Load more

ABOUT US

Based in Australia, we publish industrial hemp and cannabis news, research and industry reports from around the world. Learn more about Hemp Gazette.

© Hemp Gazette