North Baltimore, Ohio

December 6, 2024 7:16 pm

The District Update – Water Shed
Need A Chiropractor
BVHS New Womens Health
Resize
June 2023 Left Rail
OB You’re Expecting
Sept. 2023
Logo & Info Aug 2023
Size Update
Temporary
Sept. 2023
Amplex Fiber June 2024
Logo

Report: Ohio Cannabis Users’ Sensitive Data Exposed in Data Breach

Report: Ohio Cannabis Users’ Sensitive Data Exposed in Data Breach

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach in THSuite, a point-of-sale system in the cannabis industry.

Our team identified an unsecured Amazon S3 bucket owned by THSuite that exposed sensitive data from multiple marijuana dispensaries around the US.

The leaked data included scanned government and employee IDs, exposing personally identifiable information (PII) for over 30,000 individuals.

THSuite Company Profile

THSuite offers business process management software services to cannabis dispensary owners and operators in the US.

Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws. The THSuite platform is designed to simplify this process for dispensary operators by automatically integrating with each state’s API traceability system.

As a consequence of this, the platform has access to a lot of private data related to dispensaries and their customers.

Timeline of Discovery and Owner Reaction

Data breaches often take days of investigation before we can understand what’s at stake or who’s leaking the data.

In this case, we identified THSuite as the owner of the database and contacted the company with our findings.

  • Date discovered: December 24, 2019
  • Date owners contacted: December 26, 2019
  • Date Amazon AWS contacted: January 7, 2020
  • Date database closed: January 14, 2020

Example of Entries in the Database

Over 85,000 files were leaked in this data breach, including over 30,000 records with sensitive PII. The leak also included scanned government and company IDs stored in an Amazon S3 bucket through the Amazon Simple Storage Service.

The leaked bucket contained so much data that it wasn’t possible for us to examine all records individually. Instead, we looked through a handful of random entries to understand the type of data exposed in the breach.

In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US– Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company. However, this breach affected many more dispensaries, it is possible that all THSuite clients and their customers were involved.

We also found photographs of government-issued photo IDs and corresponding signatures of dispensary visitors and patients. Additionally, there is proof that each patient acknowledged state laws regarding purchase and use of cannabis-based medicine.

Amedicanna Dispensary Files

The THSuite breach involved data from AmediCanna Dispensary, a medical marijuana dispensary located in the state of Maryland.

The leak exposed many personal details about Amedicanna’s customers (Image 1 in appendix). This included: Full name, phone number, email address, date of birth, address, medical/State ID number and expiration date, Cannabis gram limit and signature.

The database also included details about Amedicanna’s inventory and sales. We were able to view a list of transactions with the following information (Image 2):

  • Patient name and medical ID number
  • Employee name
  • Cannabis variety and quantity purchased
  • Total transaction cost
  • Date received, along with an internal receipt ID

Bloom Medicinals

Bloom Medicinals is an Ohio-based medical marijuana dispensary with locations in Akron, Columbus, Maumee, Painesville, and Seven Mile.

The data breach exposed information about the dispensary’s inventory, monthly sales reports, and compliance reports, as well as patient details:

  • Full name
  • Date of birth
  • Medical/State ID and expiration date
  • Phone number
  • Email address
  • Street address
  • Date of first purchase
  • Whether the patient received financial assistance for cannabis purchases
  • Whether the patient opted in for SMS notifications

We were able to view the dispensary’s monthly sales, discounts, returns, and taxes paid. The sales were further broken down by payment method and product type.

The database included a list of each cannabis product, along with a brief description, the product’s supplier, and its price (Image 3).

Colorado Grow Company

Colorado Grow Company is a recreational marijuana dispensary located in the city of Durango, Colorado.

The THSuite data breach exposed the dispensary’s monthly sales reports for both cannabis and non-cannabis products, including gross sales, discounts, taxes, net sales, and totals for each payment type.

The leak exposed full names of dispensary employees and the number of hours they worked (Image 4) during each two-week pay period.

The database also included a detailed inventory list with product names, descriptions, cost breakdowns, and quantity.

Data Breach Impact

Privacy Concerns for Cannabis Users

As a result of this data breach, sensitive personal information was exposed for medical marijuana patients, and possibly for recreational marijuana users as well. This raises serious privacy concerns.

Medical patients have a legal right to keep their medical information private. Those whose personal information was leaked may face negative consequences both personally and professionally.

Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual. HIPAA violations can result in fines of up to $50,000 for every exposed record, or even in jail time.

Cannabis dispensaries exist in a legal gray area, since in the US there are major conflicts between federal and state laws regarding both medical and recreational marijuana. Even in states where cannabis use is permitted under state law, it’s still prohibited under federal law.

Many workplaces also have specific policies prohibiting cannabis use. Customers and patients may face consequences at work if their cannabis use was exposed. Some could even lose their jobs, especially if they work for a federal agency.

Even without the legal risks, there’s still a social stigma surrounding marijuana use. Individuals may suffer backlash if their families, friends, and colleagues find out that they use cannabis.

Scams and Phishing Attacks

Hackers and scammers can take advantage of personal details exposed in the data breach to create highly effective personalized phishing attacks. 

Hackers can easily use exposed details to gather more personal data through social media accounts and other online sources. Detailed information about recent purchases exposed in the data breach could be used to gain access to private financial accounts.

With enough information, a malicious party could even commit identity theft.

Impact on Dispensaries

The data breach also affects dispensaries that trusted THSuite with their private information. These dispensaries may find themselves facing major consequences because of the possible HIPAA violation created by this breach.

Another issue is that competing dispensaries may now have access to detailed information about these dispensaries’ customers and inventory. This could be used  by competitors to improve pricing strategy and product offerings. They can even use leaked customer information to create targeted ad campaigns.

Affected dispensaries could lose customers as a result of the data breach. Even though dispensaries were not directly responsible, customers might hesitate to trust these dispensaries with their personal information after it was leaked.

Advice from the Experts

THSuite could have easily avoided this leak if they had taken some basic security measures to protect the Amazon S3 bucket. These include, but are not limited to:

  • Secure your servers
  • Implement appropriate access rules
  • Never leave a system that doesn’t require authentication open to the internet

Any company can replicate the same steps, no matter its size. To learn more about how to protect your business, check out our in-depth guide on securing your website and online database from hackers.

For Affected Dispensaries

We recommend contacting THSuite directly to find out more about the company’s security practices and how it plans to ensure the safety of your data in the future.

THSuite should investigate how this data breach occurred and implement new security procedures to make sure something like this doesn’t happen again.

We also recommend thoroughly vetting any third party services you hire to make sure they follow best practices and have multiple security measures in place to protect sensitive data.

For Affected Customers

If you are a customer or patient of a marijuana dispensary, we recommend that you speak directly with your provider to find out if they are using THSuite or have used it in the past.

If you believe your private information may have been exposed in this data breach, there are steps you can take to minimize its impact.

Read our complete guide to online privacy to learn about the techniques hackers use to invade your privacy and what you can do to protect yourself. We also recommend you use a VPN to protect your private data from cybercriminals who may try to target you after your information was leaked.

You may also want to speak to your dispensary to find out how it’s going to guarantee your safety and privacy in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *

NBX powered by PANDA Technologies
NBLS Website