Several federal lawsuits filed in Cleveland claim a company that connects patients in Ohio to providers of medical marijuana cards exposed nearly one million patient records online.
The six lawsuits allege Ohio Medical Card, also known as Ohio Medical Alliance, revealed social security numbers, medical records and mental health evaluations. Jeremiah Fowler, a cyber security researcher, stated in a blogpost that he informed the company about the accessibility of the database.
Records he provided appear to show one patient’s weight, body mass index, medications, anxiety diagnosis and other diagnoses, as well as her address, WOSU reported.
Fowler blurred and redacted the images to protect the person’s identity before sharing the screenshots.
The state’s Division of Cannabis Control confirmed Tuesday it referred a complaint to the State Medical Board of Ohio.
Attorney Marc Dann represents a Columbus woman who filed suit after Fowler found the information and notified people.
He said the issue is particularly worrisome because it also revealed people as cannabis users.
“Look, any private data people don’t want to share with everybody in the world. But certainly people who use marijuana, there’s still some controversy about that,” Dann said. “And there are health issues that are associated with that that are protected under HIPAA. And so it makes these data breaches particularly more worrisome.”
Attorneys representing the six plaintiffs have asked the judge to designate the suits as a class action case. Dann is seeking more than $5 million and anticipates more than 100 people will be part of the suit.
Dann said if the case is certified as a class action suit, “then anybody who is a member of the class will be given the opportunity to either stay in the class with us and have us litigate the case for them or opt out and bring their own case.”
Dann also said anyone that’s been notified that their data was exposed “don’t really have to do anything.”
“As long as there’s at least one person bringing that class action case, the statute of limitation is tolled and you can rest assured that your interests are protected until that gets all sorted out,” Dann said.
The suit claims the company failed to “properly secure and safeguard private information that was entrusted to it.”
WOSU reached out to Ohio Medical Card but did not receive a response.
Dann said the company has made some responsible moves to mitigate the damage.
Read the rest of this story at WOSU
