Up in Smoke: Ohio Marijuana Card Data Breach Exposes 1M Medical Cannabis Records

Home
news
Up in Smoke: Ohio Marijuana Card Data Breach Exposes 1M Medical Cannabis Records

September 17, 2025

by Brian Eckert

Nearly one million medical marijuana patients in Ohio had some of their most private information left exposed online, putting them at risk for identity theft, medical fraud, phishing, and other harms, according to multiple lawsuits.

The unsecured database—tied to Ohio Medical Alliance LLC, which does business as Ohio Marijuana Card—contains a trove of sensitive records ranging from medical evaluations to high-resolution images of driver’s licenses. Now, the company faces a wave of class action lawsuits from patients that argue it failed to implement the most basic safeguards to keep their information private.

What to Know:

A cybersecurity researcher discovered roughly 957,000 patient records that were publicly accessible in an unencrypted, non-password-protected database.
The exposed data includes highly sensitive patient information, such as names, addresses, dates of birth, health evaluations, and physician reports.
At least six proposed class actions have been filed in federal court, including one brought by Milberg.
Plaintiffs have asked the Northern District of Ohio to consolidate the cases.
Cyberattacks are a growing risk in the cannabis industry.
Beyond identity theft, exposure of medical marijuana use carries risks of stigma, discrimination, and potential legal consequences.

Medical Marijuana Records Found Unprotected

In mid-July 2025, cybersecurity researcher Jeremiah Fowler stumbled across an unsecured database belonging to Ohio Medical Alliance LLC, better known as Ohio Marijuana Card, an organization that helps individuals obtain physician-certified medical marijuana cards.

Fowler reported the discovery of the database, more than 323 gigabytes in size and containing nearly a million patient files, to Website Planet.

The exposed information includes included patients’ full names, Social Security numbers, birth dates, home addresses, driver’s license images, medical intake forms, physician certifications, internal notes, and even offender release cards used by people reentering society after incarceration. One spreadsheet labeled “staff comments” also revealed more than 200,000 email addresses linked to employees, business associates, and customers.

Unlike standard healthcare systems that encrypt or firewall patient records, this one was left wide open: no password, no encryption, no protections at all. The files were even stored in folders labeled with patient names, making the data easily searchable.

The publicly available database included medical documents indicating patients’ diagnosis and the reason they were seeking to be prescribed medical marijuana.

According to Fowler, he notified the company on July 14, and by the following day the database was no longer publicly accessible. However, he “did not receive any reply to my responsible disclosure notice.”

It is unknown how long the database was exposed before he discovered it or whether anyone else may have gained access, Fowler said. However, anyone could have downloaded, copied, or shared the data during the exposure. By August, news of the breach was public, and lawsuits quickly followed.

Between late August and early September, at least six patients had filed proposed class actions in the Northern District of Ohio. The suits allege that Ohio Medical Alliance failed to follow the most basic data-security practices, violating consumer protection laws and duties of care. Plaintiffs are now asking the court to consolidate the cases and similar Ohio Marijuana Card data breach suits that may follow from the database exposure.

Milberg Files Ohio Marijuana Card Data Breach Lawsuit

Among the first lawsuits related to the unsecured database was a case filed on August 25 on behalf of Kirk Burd, represented by Milberg attorney David K. Lietz (Case No. 1:25-cv-01779).

Burd and Milberg seek to represent a nationwide class of all individuals whose private information was accessed or acquired in the data breach. Key allegations include:

Failure to safeguard highly sensitive medical data. The exposed files revealed diagnoses and reasons for patients seeking cannabis treatment—information that is both valuable to criminals and potentially stigmatizing.
No notice to patients. Ohio Marijuana Card has allegedly not provided any notice to impacted patients about the database exposure.
Breach of implied contract. Patients paid for services with the expectation that a portion of those payments would go toward adequate data security. The company breached its implied promises when it failed to protect that information.
Unjust enrichment. The filing alleges the company retained payments that should have funded security measures, creating grounds for a restitution claim.

In addition, the complaint stresses that medical cannabis data poses risks beyond identity theft and fraud.

Despite medical marijuana being legal in Ohio and most states, and about half of states approving recreational use, cannabis remains federally illegal. Its use “is something that many people would want to remain private,” the complaint states.

Exposed records also contained detailed personal and health information that could “potentially be exploited for harassment or extortion attempts.” Both marijuana use and mental health information are private matters that could be “stigmatized by employers, friends, or family” if revealed, the complaint adds.

Health conditions or cannabis use disclosed without consent could result in patients facing discrimination in employment or difficulty obtaining insurance, according to the HIPAA Times.

Ohio Marijuana Card states on its website that it serves over 250,000 Ohio patients and has helped more than 340,000 patients nationwide access medical marijuana for qualifying medical conditions such as anxiety and PTSD. Its privacy statement claims that all patient information is kept confidential in their HIPAA-compliant file storage system.

Burd and the proposed class seek compensatory and consequential damages, as well as injunctive relief requiring Ohio Medical Alliance to strengthen its security systems, undergo annual audits, and provide credit monitoring for all affected patients.

Cybercriminals Seeing Green in Cannabis Industry

Wired writes that people who apply for medical marijuana cards must share particularly personal health data to qualify. This highly sensitive information can also be highly valuable to cybercriminals, who have recently targeted the cannabis industry amid a broader spike in healthcare data breaches.

The Sapphire Risk Advisory Group, which provides cannabis security consulting services, explains that the lucrative U.S. cannabis industry, valued at around $35 – $40 billion, is mostly comprised of small companies that often lack sufficient resources to devote to security, creating “the perfect opportunity for hackers to exploit network vulnerabilities common to many companies within the space.”

A survey from MJBizDaily found that 59% of cannabis companies polled had not taken steps to prepare for a cyberattack, even though they are vulnerable to attacks.

Because marijuana remains federally illegal, many companies rely on smaller third-party vendors for payment processing, compliance, and point-of-sale systems. When those vendors are compromised—as in the 2024 STIIIZY breach that impacted 380,000 customers or the 2020 THSuite data breach that affected multiple dispensaries and at least 30,000 customers—it puts at risk patient data that is uniquely sensitive, valuable, and legally complex.

Fowler told Website Planet that it is not known whether the exposed OMA database he uncovered was owned and managed directly by them or a third-party contractor.

Experts warn that until cannabis businesses treat cybersecurity with the same seriousness as traditional healthcare and financial institutions—using encryption, vendor vetting, audits, training, and incident response plans—patients will remain especially vulnerable to incidents like the Ohio Marijuana Card data breach lawsuit.

Milberg’s Privacy Practice

Milberg has built one of the country’s most active and effective privacy practices. Our Cybersecurity & Privacy team, in just the past several years, has settled dozens of class actions involving privacy violations in state and federal courts and recovered millions of dollars for our clients while developing favorable case law that plaintiffs rely on in this rapidly-developing area.

Over a recent three-year period, no other plaintiffs’ class action firm in the country settled and won court approval of more data breach and data privacy class actions than Milberg.

Practice Areas

Contact Us
- First Name*
- Last Name*
- Email Address
- Phone*
- Message*
- Hidden
  intakeStatus
- CAPTCHA
  By clicking the “submit” button you agree to our legal notice and privacy policy. Submitting your legal matter to us does not create an attorney-client relationship. An attorney-client relationship will only be created in a signed, written representation agreement.
- Communication Disclosure
  By checking this box, you consent to receive emails, text messages, and phone calls from Milberg Coleman Bryson Phillips Grossman, including via automated technology, to the email address and phone number provided. For SMS and calls, you understand that consent is not a condition of receiving legal services. Milberg may share your email address and phone number with its service providers for the purpose of sending these emails and/or making these calls or texts.
- SMS Consent
  By checking this box, you consent to receive account notifications and client care text messages from Milberg. You may receive messages related to appointment reminders, case updates, task requests, or any legal case related details. Message and data rates may apply. Message frequency may vary. Reply STOP to opt-out. For assistance text HELP. Please see our Privacy Policy and SMS Terms and Conditions in the footer below.
- Hidden
  Consent - Privacy Policy
  Yes