Cyber security researcher provides details about a large medical cannabis database, which he says was publically accessible.
The amount of sensitive information about patients stored online is increasing as medical cannabis programs spread around the globe. In worst-case scenarios, some are not protected at all.
Jeremiah Fowler, a cyber security expert, journalist, and technologist claims to have found thousands of data breaches in various industries over the last decade.
Fowler recently wrote about an unencrypted and non-password-protected database he states he discovered belonging to an Ohio-based organisation involved in assisting patients acquire marijuana ID cards. According to reports, the database contained 957 434 records.
He says that he saw:
- Images of drivers’ licenses in high resolution.
- Documents of identification that contain names, addresses, dates of birth and license numbers.
- Take-in forms
- Records of medical care
- Forms for releasing a release
- Social Security Numbers are required on all physician certification forms.
- Evaluations of mental health.
- Identification documents issued by multiple states
Fowler claims he has sent an official disclosure to the organization involved. He did not receive a reply but the next day the database’s access was blocked.
The companies and organizations which collect and maintain potentially sensitive data (such as health and patient information) need to take further security precautions in order prevent accidental data leakages and unauthorized access. he says.
His recommendations include:
- Use encryption.
- Protect PDF documents with a password
- Store all your data on different locations.
- It is not necessary to use the records that you have isolated.
- Access sensitive files with time and role-based access restrictions.
- Training on data privacy and protection as well as phishing awareness is essential.
Fowler says that, generally, the Health Insurance Portability and Accountability Act in the USA (HIPAA), which is strict on privacy and security, protects medical records and mental health files.
There are contradictory messages in the media about HIPAA protection and medical marijuana. But when HIPAA-covered employees access personal health information, they’re subject to HIPAA security and privacy rules, he says.
Such incidents are particularly unsettling for patients given the sensitive nature of their information — and what could be done with it. Patients should also inquire about the security of their data before signing with any provider.