Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 957,434 records. The database belongs to an Ohio-based organization that helps individuals obtain physician‑certified medical marijuana cards. The database held PII, drivers licenses, medical records, documents containing SSNs, and other internal potentially sensitive information.
So, the absolute bare minimum was not followed. Just wide open database containing medical information.
More evidence cannabis needs to be recreational. We can let people use their FSA money for it and/or give a steep discount to people who "really" need it, like cancer patients... but I think a lot of people who bounce between
Anyways, there are a LOT of little fly by night outfits that "help" you get a medical card in many states. It's a joke, and all it does is empower the same type of person who used to be a pill doctor to rent seek, and it's not at all a surprise one had poor data practices.
So are people storing these things in a non-HIPAA-compliant way or is this mostly attributable to some other vector that would not have been helped by compliance?
What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/
Medical marijuana dispensaries are not covered entities under HIPAA [0]. The way the law works is weird, but they are not required to comply. All the more reason the federal government needs to catch up with the times on cannabis.
I think there are even more basic table stakes that were missed here well prior to conducting any manner of formal compliance auditing - like unauthenticated users accessing this database!
Nearly a million records, which appear to be linked to a medical-cannabis-card company in Ohio, included Social Security numbers, government IDs, health conditions, and more.
Mine once asked if I'd like a referral to a doctor who was quite liberal in approving people for medical cards in my jurisdiction. I said, "And end up being tracked as a known user in a government database? No thanks." Safer on the streets.
Your neighborhood weed guy would never have your personal information, perhaps not even your full name, a nickname would suffice. But I get the point and the pun. It’s all a big charade
One more thing to note here: anybody in this database that is also part of the OPM leaks or holds a federal job (or is a trucker or other non-drug requirement) will now be compromised and subject to blackmail.
If the dots are connected they will lose their jobs. Full stop.
(new account online, new coinbase account online, stuff new account with cash, transfer to coinbase, transfer onchain, swap to monero, wait, access all with new mac address, new wifi, new browser session, or Tor if the services allow)
daily reminder that KYC is a joke, the institutions and enforcement agencies that think it works, don’t know when its not working as long as a real id and ssn and address is used
This isn't meant to be a gotcha or a takedown, as I appreciate that you're one of the few HN users knowledgeable about crypto who isn't a shill or dismissive of crypto out of hand.
For those who aren't familiar with this industry, there are folks whose job it is to solve these problems with KYC being less effective than it ought to be. Many work in industry as devs, and many do the same as part of the Department of Justice or an affiliated agency or approved third party contractor. There are relevant working groups that bring all relevant parties together for operations. I don't want to assume that you don't know this, but you should not make it out like crime is easy, or that it pays. That said, government salaries are criminally low across the board. I can only assume the private sector of this niche pays better, as it can't very well pay much less than the public sector. Why this is the case is absurd, as it is mostly to do with pay scales and levels, and the near-impossibility of paying workers more, even when it's ready money that is already allocated.
> As legal cannabis has expanded around the United States for both recreational and medical use, companies have amassed troves of data about customers and their transactions.
And that should be treated as a massive liability, where one breach wipes out your company with lawsuits. And the wronged parties can go after the assets of executives and maybe even investors, due to willful criminal negligence.
If there's any justice, the "greed is good" techbro industry will finally be told that the sociopathic combination of systemic surveillance/stalking and gross indifference about even basic security is over.
shifty1|6 months ago
0cf8612b2e1e|6 months ago
firefax|6 months ago
Anyways, there are a LOT of little fly by night outfits that "help" you get a medical card in many states. It's a joke, and all it does is empower the same type of person who used to be a pill doctor to rent seek, and it's not at all a surprise one had poor data practices.
sailfast|6 months ago
What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/
nickff|6 months ago
time0ut|6 months ago
[0] https://www.hhs.gov/hipaa/for-professionals/covered-entities...
unknown|6 months ago
[deleted]
adi4213|6 months ago
hacker_yacker|6 months ago
riffic|6 months ago
dolebirchwood|6 months ago
grugagag|6 months ago
s5300|6 months ago
[deleted]
jrflowers|6 months ago
sailfast|6 months ago
If the dots are connected they will lose their jobs. Full stop.
yieldcrv|6 months ago
(new account online, new coinbase account online, stuff new account with cash, transfer to coinbase, transfer onchain, swap to monero, wait, access all with new mac address, new wifi, new browser session, or Tor if the services allow)
daily reminder that KYC is a joke, the institutions and enforcement agencies that think it works, don’t know when its not working as long as a real id and ssn and address is used
aspenmayer|6 months ago
This isn't meant to be a gotcha or a takedown, as I appreciate that you're one of the few HN users knowledgeable about crypto who isn't a shill or dismissive of crypto out of hand.
For those who aren't familiar with this industry, there are folks whose job it is to solve these problems with KYC being less effective than it ought to be. Many work in industry as devs, and many do the same as part of the Department of Justice or an affiliated agency or approved third party contractor. There are relevant working groups that bring all relevant parties together for operations. I don't want to assume that you don't know this, but you should not make it out like crime is easy, or that it pays. That said, government salaries are criminally low across the board. I can only assume the private sector of this niche pays better, as it can't very well pay much less than the public sector. Why this is the case is absurd, as it is mostly to do with pay scales and levels, and the near-impossibility of paying workers more, even when it's ready money that is already allocated.
nope1000|6 months ago
SnuffBox|6 months ago
hardwaresofton|6 months ago
hobs|6 months ago
neilv|6 months ago
And that should be treated as a massive liability, where one breach wipes out your company with lawsuits. And the wronged parties can go after the assets of executives and maybe even investors, due to willful criminal negligence.
If there's any justice, the "greed is good" techbro industry will finally be told that the sociopathic combination of systemic surveillance/stalking and gross indifference about even basic security is over.
cpursley|6 months ago
s5300|6 months ago
[deleted]
sublinear|6 months ago