A serious data exposure has raised alarm bells for hundreds of thousands of medical marijuana patients across the United States. A set of unsecured databases, totaling 323 gigabytes and nearly one million records, was discovered online without password protection or encryption, exposing deeply sensitive medical and personal information.

The databases contained 957,434 records, including high-resolution scans of driver’s licenses and state IDs that revealed names, addresses, dates of birth, and license numbers. Alongside identification files, folders labeled with patients’ names stored a wide range of documents: intake forms, release forms, physician certification forms containing Social Security numbers, as well as detailed mental health evaluations. Many records specifically documented medical diagnoses and the reasons patients were seeking medical marijuana prescriptions.

Medical and Personal Data Mixed

The majority of files were stored in PDF, JPG, and PNG formats, but one CSV file stood out for its sensitivity. Titled “staff comments”, it included an estimated 210,620 email addresses belonging to patients, staff, and business partners. Internal notes described patient appointments, personal circumstances, and communication between employees — material never intended for public view.

The records appeared to be connected to Ohio Medical Alliance LLC (OMA), which operates under the consumer-facing brand Ohio Marijuana Card. OMA is a telemedicine and in-person provider that helps patients secure physician-certified medical marijuana cards across multiple states. The company claims to have assisted more than 330,000 patients nationwide and operates clinics in Ohio, Arkansas, Kentucky, Louisiana, Virginia, and West Virginia.

Disclosure and Response

The exposed databases were secured the day after the discovery, following a responsible disclosure notice sent to OMA. However, the company has not responded publicly to the disclosure, leaving unanswered questions about how the breach occurred and whether patients have been notified.

It is not yet clear whether OMA itself managed the databases or if a third-party contractor was responsible for the misconfiguration. The duration of exposure also remains unknown, raising the possibility that the records could have been accessed by unauthorized parties before discovery. Only a forensic investigation could determine whether malicious access took place.

A Compliance Contradiction

OMA’s website highlights its commitment to patient privacy, asserting that records are stored in a HIPAA-compliant file system. The scale of this exposure, however, directly contradicts those assurances and could expose the company to regulatory penalties and lawsuits.

Patient records in this database contained information so sensitive that their public exposure could lead to identity theft, fraud, discrimination, and reputational harm, particularly given the stigma that still surrounds medical marijuana use in some regions.

Broader Implications

This incident underscores a recurring issue in healthcare data security: the mismanagement of cloud storage or third-party systems that leave patient data exposed. With more than 323 GB of highly sensitive files, the OMA exposure ranks among the more severe healthcare-related data leaks of recent years.

Until OMA or regulators release more information, patients remain in the dark about the extent of the breach and the risks they may face.