As more states expand access to medical marijuana, specialized clinics and telehealth platforms have become the main gateway for patients to obtain legally required certifications. But while these services promise convenience, they also collect and retain large volumes of sensitive medical and personal information — data that is increasingly vulnerable to exposure.

Why These Records Are So Valuable

Unlike routine medical files, patient records held by cannabis certification providers often combine multiple forms of personal identification with highly sensitive health details. Patients are typically asked to provide:

  • Copies of driver’s licenses or state IDs
  • Physician evaluations and medical records confirming qualifying conditions
  • Social Security numbers
  • Email addresses and phone numbers
  • Details of mental health conditions or chronic illnesses

This information, if mishandled, can fuel identity theft, insurance fraud, or targeted discrimination. With the lingering stigma around cannabis, disclosure of such data could also lead to personal or professional harm.

The OMA Incident: An Example of the Risks

The dangers became clear when researchers uncovered two open databases connected to Ohio Medical Alliance LLC (OMA), the operator of Ohio Marijuana Card.

The databases contained 957,434 files totaling 323 GB, all left online without encryption or password protection. Exposed documents included scans of state IDs, intake forms, release papers, certification forms listing Social Security numbers, and mental health assessments. One spreadsheet even contained over 210,000 email addresses tied to patients, employees, and business partners, alongside notes about appointments and internal communications.

OMA advertises its systems as HIPAA-compliant and says it has helped more than 330,000 patients nationwide. Yet this breach calls those assurances into question. While the databases were locked down after disclosure, OMA did not respond publicly, leaving patients uncertain about whether their data had been accessed by others.

A Broader Weakness in the Industry

Cybersecurity specialists warn that medical marijuana providers — particularly startups or smaller clinics — may lack the same hardened infrastructure used in mainstream healthcare. Many rely on cloud platforms, third-party vendors, or hastily configured systems, making them susceptible to configuration errors that expose patient data.

Healthcare records are already among the most expensive to recover from in a breach, according to industry studies. The sensitivity of cannabis-related medical records only raises the stakes for patients who could face both financial harm and social stigma if their information is leaked.

What Patients Can Do

For individuals seeking medical marijuana cards, experts suggest:

  • Asking providers about their security practices and storage systems.
  • Sharing only the documents required and avoiding unnecessary email exchanges of personal data.
  • Keeping an eye on financial accounts and credit reports if personal identifiers are at risk.

Moving Forward

As legalization spreads, regulators may need to establish tighter privacy and security rules for cannabis-related healthcare providers. Until then, the OMA breach serves as a cautionary tale: convenience should not come at the cost of exposing some of the most personal details patients entrust to their caregivers.