August 22, 2025 — As medical marijuana becomes more widely accepted across the United States, clinics and telemedicine providers have emerged to help patients secure legally required certifications. But with this rapid growth comes a significant and often overlooked concern: the handling and protection of highly sensitive medical data.
Unlike many traditional healthcare providers bound by decades of experience in handling electronic health records, some medical marijuana certification services rely heavily on third-party platforms, cloud storage, and telemedicine tools that may lack the same level of security rigor. The result is an expanding target for cybercriminals — and a growing risk for patients who are trusting these organizations with their most private information.
Why Medical Marijuana Records Are Especially Sensitive
The data collected by cannabis clinics often includes more than standard personal identifiers like names, addresses, and dates of birth. Patients typically must provide:
- State-issued identification documents (driver’s licenses or IDs)
- Medical records and physician certifications confirming qualifying health conditions
- Social Security numbers
- Contact information and email addresses
- Notes on mental health or chronic illnesses
In many cases, the reason patients seek medical marijuana treatment is documented in detail. That makes these records a goldmine not only for identity thieves but also for potential employers, insurers, or others who could discriminate based on a diagnosis or cannabis use.
The OMA Breach: A Wake-Up Call
The risks became clear earlier this year when security researchers discovered two unsecured databases tied to Ohio Medical Alliance LLC (OMA), the company behind Ohio Marijuana Card.
The databases, totaling 323 GB and 957,434 records, were publicly accessible with no password or encryption. Files included high-resolution images of IDs, physician certification forms containing Social Security numbers, medical evaluations, and internal staff notes. One document alone listed over 210,000 email addresses belonging to patients, employees, and partners.
OMA claims to operate a HIPAA-compliant storage system and has helped over 330,000 patients nationwide. But the exposure directly contradicted its privacy promises. Although the databases were secured after responsible disclosure, the company has not publicly commented on the incident, and it remains unclear whether outsiders accessed the data before it was restricted.
A Wider Industry Problem
OMA’s case is not an isolated concern. Security experts warn that medical marijuana providers, particularly smaller or fast-growing telemedicine startups, may lack the infrastructure or resources to maintain robust cybersecurity practices. Many rely on contractors, external cloud services, or off-the-shelf platforms — any of which can become a weak link if misconfigured.
Healthcare breaches are already the most expensive category of cyber incidents according to IBM’s annual Cost of a Data Breach Report. When combined with the unique stigma still surrounding cannabis use, the fallout from a breach could be especially damaging for patients.
What Patients Should Know
Patients seeking medical marijuana evaluations can take steps to reduce their risks:
- Ask clinics how they store medical records and whether they use encrypted, HIPAA-compliant systems.
- Be cautious about sharing unnecessary documents or over-emailing personal data.
- Monitor credit reports and accounts for unusual activity, particularly if ID numbers or SSNs are involved.
Looking Ahead
As medical marijuana programs expand, regulators may face pressure to impose stricter security and compliance standards on certification providers. Until then, the OMA breach serves as a stark reminder: the therapeutic benefits of medical cannabis should not come at the cost of patients’ privacy.