Researchers Noam Rotem and Ran Locar from security firm vpnMentor discovered an unsecured Amazon S3 bucket on December 24, 2019, that exposed sensitive data of medical cannabis users and multiple cannabis dispensaries across the United States.
The researchers stated the leaky database is owned by THSuite, a Point-Of-Sale and management system used in dispensaries in the U.S.
THSuite later fixed the database on January 14, 2020, after vpnMentor notified the incident. According to VPNMentor, the exposed data included personally identifiable information (PII) belonging to 30,000 individuals, scanned government and employee IDs, full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts.
“Medical patients have a legal right to keep their medical information private. Those whose personal information was leaked may face negative consequences both personally and professionally,” the researchers said.
In a similar incident, Natural Health Services, the operator of Canada’s largest referral network of medical cannabis patients, suffered a data breach that exposed customers’ personal information like medical diagnoses, referrals, encounter notes, and allergies.
The Calgary-based health center stated that unknown intruders accessed personal health records between December 4, 2018, and January 7, 2019. However, the company clarified that patient prescriptions, financial, credit card or social insurance numbers weren’t compromised in the incident. The company notified the affected clients and suggested them to monitor for any unusual activity in their transactions with financial institutions.
“NHS identified that a number of records containing personal health information in the electronic medical record (EMR) system we use were accessed without the authorization of NHS physicians for purposes that may be unrelated to providing medical care,” the company said in a statement. “NHS is working with law enforcement and the Information and Privacy Commissioner of Alberta to investigate this matter. NHS is undertaking all necessary steps to work with the respective provincial privacy commissioners to ensure that this does not happen again.”