Researchers security by VPNMentor they found one exposed database containing data on 30.000 people. The common feature of all these people is the use of hemp (or marijuana) for medical and non-medical reasons.
The database was found on 24 December 2019, while the company made a web scan as part of her web scanning project. The database is owned by the company THSuite, a Point-Of-Sale (POS) system used in the cannabis industry in the United States.
Medical marijuana is now considered legal in some states of America.
According to VPNMentor researchers, the exposed THSuite database contained Identity belonging to 30.000 cannabis users. In total, more than 85.000 were exposed archives.
The information Exposed are: full names of patients and staff members, dates of birth, telephone numbers, home addresses, email addresses, medical ID numbers, cannabis used, price, quantity and receipts.
The researchers entered the database and collected some random samples of cannabis distributors in Maryland, Ohio, and Colorado. Their goal was to understand the magnitude of the problem.
The samples they selected included n Amedicanna Dispensary as well as customer IDs and other information related to company inventory and sales. Another company found in the database was Bloom Medicinals, which also included customer data as well as information on hemp product listings, suppliers, price, monthly sales, discounts, rebates and taxes paid. Her exposed information Colorado Grow Company related to monthly sales, discounts, taxes, employee names and inventory lists.
This particular data leak is essential a infringement medical data. Therefore, it is likely that there will be consequences under the American Health and Safety Act (HIPPA) passed in 1996. Under that law, medical information for patients should be protected. Anyone who violates HIPPA can receive fine of millions of dollars or even get into prison.
"Patients have a legal right to keep their medical information private," say the researchers.
Two days after the database was discovered with data of cannabis users, VPNMentor contacted THSuite but received no response. So she contacted Amazon AWS on January 7, 2020. A week later, access the database was not possible.