Data of some Ohio medical marijuana patients exposed in breach

Jackie Borchardt, The Cincinnati Enquirer

One Ohio medical marijuana dispensary was exposed in a national data breach that leaked personally identifiable information on more than 30,000 people.

Bloom Medicinals, which operates five dispensaries in Ohio, including one in Columbus, was one of three cannabis companies identified in a report revealing a recent leak involving THSuite, which provides point-of-sale systems to cannabis stores.

Internet researchers at vpnMentor were able to see patient and sales data and dispensary compliance reports. Specifically, they were able to see patients' names, dates of birth, phone numbers, email addresses, street addresses, dates of first purchase and whether the patients received financial assistance for purchases.

Researchers said the leak could harm patients because marijuana remains illegal on the federal level and a stigma remains around its use.

They also found records of the dispensary's monthly sales and discounts and of each product's supplier and price.

Besides Columbus, Bloom also has locations in Akron, Maumee, Painesville and Seven Mile, which is in Butler County.

A Bloom spokesman said the company is investigating and working with THSuite to identify any Ohio patients affected.

“Once we have identified any affected patients, we will notify each individual and follow HIPAA breach-notification protocols,” the company said in a statement. “Bloom Medicinals serves tens of thousands of patients in multiple states, and we take patient privacy very seriously. Rest assured we will implement any corrective action necessary to both remedy and ensure this does not happen again."

Two other businesses — AmediCanna Dispensary in Maryland and Colorado Grow Co. — also were identified in the breach, but more could be affected.

Bloom is the only Ohio dispensary that uses THSuite, according to the Ohio Board of Pharmacy. A board spokeswoman referred additional questions to Bloom.

“The Board takes any breach of data security and private patient information very seriously,” spokeswoman Ali Simon said in an email. “The Board cannot comment at this time, but is looking into this issue.”

The leaked data — more than 85,000 files — was discovered on Dec. 24. THSuite was notified of the leak on Dec. 26, and the leak was closed on Jan. 14, according to vpnMentor.

State rules prohibit sharing “patient-specific dispensary transactions.” Dispensaries also must use electronic records systems that guarantee confidentiality.

The researchers warned that affected dispensary customers could be vulnerable to phone or email phishing attacks in which scammers trick people into providing more personal information.