Ohio's state medical board investigating complaint of medical cannabis card record breach

WOSU 89.7 NPR News | By Renee Fox

Published September 17, 2025 at 4:51 PM EDT

These images were redacted by the cyber security researcher who discovered nearly one million patient records of the business Ohio Medical Card / Ohio Medical Alliance. The company connects patients with providers that can issue state-approved medical use cards for cannabis.

The State Medical Board of Ohio is investigating an apparent data breach of Ohio Medical Card/Ohio Medical Alliance client records.

A cyber security researcher found the medical records.

The company helps connect patients to providers who issue medical cannabis cards. The breach potentially revealed the identities of people with the cannabis cards.

A complaint has been filed against Ohio Medical Card with the state’s Division of Cannabis Control.

Several federal lawsuits have been filed in Cleveland against the company.

Attorneys are asking a judge to designate the case as a class action suit.

WOSU has reached out to Ohio Medical Card but have not heard back.

Jeremiah Fowler, the cyber security researcher who discovered the unprotected patient records online, said the company failed in its responsibilities.

“They were too busy selling weed and not focused enough on data privacy and security," Fowler said.

Fowler came across a repository of the files people use to prove they qualify for medical cannabis.

"What I saw in this database was many people submitted their own medical records and then they got dumped into this database as kind of like a catch-all storage," Fowler said.

This image was redacted by the cyber security researcher who discovered nearly one million patient records of the business Ohio Medical Card / Ohio Medical Alliance. The company connects patients with providers that can issue state-approved medical use cards for cannabis. The records were unprotected online.

Fowler helps protect data by scouring the internet for security weaknesses.

He said when companies enter into businesses that require data to be collected and stored, they have to adapt their business model, too.

“The second that you collect and store personally-identifiable information, you are now a tech company. You now must invest in data protection and cyber security, because this is real data and these are real people," Fowler said.

In the exposed databases, Fowler found medical records displaying diagnoses, medications, social security numbers, copies of IDs and patient forms. Fowler wrote about the discovery in a blogpost.

In an interview with WOSU, Fowler said he's heard of insurance companies paying for data like this, which he said could impact insurance premiums.

"I saw documents that indicated pretty embarrassing medical diagnoses, you know something that maybe you didn't want people to know, maybe you did want employers to know, insurance companies because we all know how ethical they are," Fowler said.

This image was redacted by the cyber security researcher Jeremiah Fowler who discovered nearly one million patient records of the business Ohio Medical Card / Ohio Medical Alliance. The company connects patients with providers that can issue state-approved medical use cards for cannabis. The records were unprotected online. — This image was redacted by the Fowler after he discovered nearly one million patient records online. belonging to Ohio Medical Card / Ohio Medical Alliance. The company connects patients with providers that can issue state-approved medical use cards for cannabis. The records were unprotected.

Fowler said the information could also possibly be used for blackmail or identity theft.

"I saw social security numbers. I saw lots of stuff that would make it very easy for a potential identity theft. You know, someone pretending to be that person, or blackmailing that person like, 'Hey, you know I realize you have this executive job. You probably don't want it known that you smoke marijuana. Give me, you know, 0.05 Bitcoin or I'm telling everybody,'" Fowler said.