Personal details, anxiety- and post-traumatic stress disorder-assessments, and physician certifications, were exposed.
Ohio Medical Alliance, also known as Ohio Marijuana Card, had 957,434 records inadvertently exposed by a pair of misconfigured patient databases.
Data leaked by the alternative medicine practitioner's 323 GB databases included patients' names, birthdates, Social Security numbers, home addresses, and driver's license scans, as well as intake forms, anxiety- and post-traumatic stress disorder-assessments, and physician certifications, according to an analysis by researcher Jeremiah Fowler.
Over 210,000 patient, employee, and business partner email addresses have also been exposed by the "staff comments" CSV file, which also included internal notes and client updates.
Additional details regarding the databases' manager or the duration of data exposure remain uncertain, said Fowler, who noted immediate access restrictions to the databases upon reporting the issue to Ohio Medical Alliance. Individuals affected by the incident have been warned of potential identity theft or financial fraud incidents.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
