Several federal lawsuits filed in Cleveland claim a company that connects patients in Ohio to providers of medical marijuana cards exposed nearly one million patient records online.
The six lawsuits allege Ohio Medical Card, also known as Ohio Medical Alliance, revealed social security numbers, medical records and mental health evaluations. Jeremiah Fowler, a cyber security researcher, stated in a blogpost that he informed the company about the accessibility of the database. Records he provided appear to show one patient's weight, body mass index, medications, anxiety diagnosis and other diagnoses, as well as her address.
Fowler blurred and redacted the images to protect the person's identity before sharing the screenshots.
The state's Division of Cannabis Control confirmed Tuesday it referred a complaint to the State Medical Board of Ohio.
Attorney Marc Dann represents a Columbus woman who filed suit after Fowler found the information and notified people.
He said the issue is particularly worrisome because it also revealed people as cannabis users.
"Look, any private data people don't want to share with everybody in the world. But certainly people who use marijuana, there's still some controversy about that," Dann said. "And there are health issues that are associated with that that are protected under HIPAA. And so it makes these data breaches particularly more worrisome."
Attorneys representing the six plaintiffs have asked the judge to designate the suits as a class action case. Dann is seeking more than $5 million and anticipates more than 100 people will be part of the suit.
Dann said if the case is certified as a class action suit, "then anybody who is a member of the class will be given the opportunity to either stay in the class with us and have us litigate the case for them or opt out and bring their own case."
Dann also said anyone that's been notified that their data was exposed "don't really have to do anything."
"As long as there's at least one person bringing that class action case, the statute of limitation is tolled and you can rest assured that your interests are protected until that gets all sorted out," Dann said.
The suit claims the company failed to "properly secure and safeguard private information that was entrusted to it."
WOSU reached out to Ohio Medical Card but did not receive a response.
Dann said the company has made some responsible moves to mitigate the damage.
"They've retained counsel, and they've acknowledged that there's a problem, which is always a good sign," Dann said. "And the first and most important thing is let's secure the data and see if there's a way to make sure that we can minimize any potential risk to the members of the class. And so we are hopeful that that's what they're in the process of doing right now. It's a process called mitigation of damages."
Fowler states the database was removed from the internet a day after he discovered it and informed the company.
Dann said the plaintiffs are entitled to compensation.
"I think they should be held accountable for whatever losses that people have," Dann said. "They have to change records (and) get a new social security number. The time and energy and resources that they have to spend to make things right. The company that allowed the negligence to happen should be the ones to pay that."
