Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 957,434 records. The database belongs to an Ohio-based organization that helps individuals obtain physician‑certified medical marijuana cards. The database held PII, drivers licenses, medical records, documents containing SSNs, and other internal potentially sensitive information.
So, the absolute bare minimum was not followed. Just wide open database containing medical information.
firefax · 2h ago
More evidence cannabis needs to be recreational. We can let people use their FSA money for it and/or give a steep discount to people who "really" need it, like cancer patients... but I think a lot of people who bounce between
Anyways, there are a LOT of little fly by night outfits that "help" you get a medical card in many states. It's a joke, and all it does is empower the same type of person who used to be a pill doctor to rent seek, and it's not at all a surprise one had poor data practices.
recursive · 12s ago
This seems totally unrelated to whether cannabis should be recreational. If my insurance company leaked my PHI, that would certainly not be evidence that any of my prescriptions should be OTC.
sailfast · 2h ago
So are people storing these things in a non-HIPAA-compliant way or is this mostly attributable to some other vector that would not have been helped by compliance?
What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/
Kinda incredible - even if they’re not covered providers they are still requesting medical records!
nickff · 46m ago
They usually require records for compliance with state regulations (but the state does not require them to follow HIPAA).
adi4213 · 1h ago
I think there are even more basic table stakes that were missed here well prior to conducting any manner of formal compliance auditing - like unauthenticated users accessing this database!
hacker_yacker · 4h ago
Nearly a million records, which appear to be linked to a medical-cannabis-card company in Ohio, included Social Security numbers, government IDs, health conditions, and more.
I did click that -- it didn't have it listed either...
I think I wasn't clear, I wanted to know which database system people were using (i.e. Postgres, Mongo, etc). You can't even run Postgres in a container without a password these days, how could someone do a whole production deployment without a password.
sailfast · 1h ago
One more thing to note here: anybody in this database that is also part of the OPM leaks or holds a federal job (or is a trucker or other non-drug requirement) will now be compromised and subject to blackmail.
If the dots are connected they will lose their jobs. Full stop.
riffic · 2h ago
my neighborhood weed guy would never betray my trust in this way.
dolebirchwood · 33m ago
Mine once asked if I'd like a referral to a doctor who was quite liberal in approving people for medical cards in my jurisdiction. I said, "And end up being tracked as a known user in a government database? No thanks." Safer on the streets.
jrflowers · 15m ago
In Ohio the neighborhood weed guy could get hit with a felony and 18 months in jail for a half pound so… like, he might
cpursley · 2h ago
Mongo?
neilv · 48m ago
> As legal cannabis has expanded around the United States for both recreational and medical use, companies have amassed troves of data about customers and their transactions.
And that should be treated as a massive liability, where one breach wipes out your company with lawsuits. And the wronged parties can go after the assets of executives and maybe even investors, due to willful criminal negligence.
If there's any justice, the "greed is good" techbro industry will finally be told that the sociopathic combination of systemic surveillance/stalking and gross indifference about even basic security is over.
yieldcrv · 2h ago
free bank accounts for money laundering
(new account online, new coinbase account online, stuff new account with cash, transfer to coinbase, transfer onchain, swap to monero, wait, access all with new mac address, new wifi, new browser session, or Tor if the services allow)
daily reminder that KYC is a joke, the institutions and enforcement agencies that think it works, don’t know when its not working as long as a real id and ssn and address is used
aspenmayer · 1h ago
Now show cashing out.
This isn't meant to be a gotcha or a takedown, as I appreciate that you're one of the few HN users knowledgeable about crypto who isn't a shill or dismissive of crypto out of hand.
For those who aren't familiar with this industry, there are folks whose job it is to solve these problems with KYC being less effective than it ought to be. Many work in industry as devs, and many do the same as part of the Department of Justice or an affiliated agency or approved third party contractor. There are relevant working groups that bring all relevant parties together for operations. I don't want to assume that you don't know this, but you should not make it out like crime is easy, or that it pays. That said, government salaries are criminally low across the board. I can only assume the private sector of this niche pays better, as it can't very well pay much less than the public sector. Why this is the case is absurd, as it is mostly to do with pay scales and levels, and the near-impossibility of paying workers more, even when it's ready money that is already allocated.
Anyways, there are a LOT of little fly by night outfits that "help" you get a medical card in many states. It's a joke, and all it does is empower the same type of person who used to be a pill doctor to rent seek, and it's not at all a surprise one had poor data practices.
What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/
I think I wasn't clear, I wanted to know which database system people were using (i.e. Postgres, Mongo, etc). You can't even run Postgres in a container without a password these days, how could someone do a whole production deployment without a password.
If the dots are connected they will lose their jobs. Full stop.
And that should be treated as a massive liability, where one breach wipes out your company with lawsuits. And the wronged parties can go after the assets of executives and maybe even investors, due to willful criminal negligence.
If there's any justice, the "greed is good" techbro industry will finally be told that the sociopathic combination of systemic surveillance/stalking and gross indifference about even basic security is over.
(new account online, new coinbase account online, stuff new account with cash, transfer to coinbase, transfer onchain, swap to monero, wait, access all with new mac address, new wifi, new browser session, or Tor if the services allow)
daily reminder that KYC is a joke, the institutions and enforcement agencies that think it works, don’t know when its not working as long as a real id and ssn and address is used
This isn't meant to be a gotcha or a takedown, as I appreciate that you're one of the few HN users knowledgeable about crypto who isn't a shill or dismissive of crypto out of hand.
For those who aren't familiar with this industry, there are folks whose job it is to solve these problems with KYC being less effective than it ought to be. Many work in industry as devs, and many do the same as part of the Department of Justice or an affiliated agency or approved third party contractor. There are relevant working groups that bring all relevant parties together for operations. I don't want to assume that you don't know this, but you should not make it out like crime is easy, or that it pays. That said, government salaries are criminally low across the board. I can only assume the private sector of this niche pays better, as it can't very well pay much less than the public sector. Why this is the case is absurd, as it is mostly to do with pay scales and levels, and the near-impossibility of paying workers more, even when it's ready money that is already allocated.