A major data exposure has potentially compromised the privacy of hundreds of thousands of medical marijuana patients across the country. Security researchers uncovered two unprotected databases containing nearly one million files linked to Ohio Medical Alliance LLC (OMA), the company behind the brand Ohio Marijuana Card.
The unsecured databases — weighing in at 323 gigabytes with 957,434 records — were left accessible online with no password protection or encryption. Documents included scans of driver’s licenses and ID cards displaying names, home addresses, dates of birth, and license numbers.
Highly Sensitive Medical Records
Folders appeared to be organized by patient names and contained highly confidential healthcare documents, including intake packets, physician certifications with Social Security numbers, release forms, and mental health evaluations. Many records detailed medical diagnoses and reasons for requesting medical marijuana prescriptions.
Most of the files were in PDF, JPG, and PNG formats, but one CSV file titled “staff comments” revealed extensive internal notes. That single file contained roughly 210,620 email addresses tied to patients, staff members, and business associates. It also included private details about appointments, client status updates, and employee communications.
Connection to Ohio Medical Alliance
Evidence strongly suggests the data belonged to Ohio Medical Alliance (OMA), a telehealth and in-person clinic network that helps patients obtain state-approved medical marijuana cards. According to the company’s website, OMA has assisted more than 330,000 patients nationwide and operates facilities in Ohio, Arkansas, Kentucky, Louisiana, Virginia, and West Virginia. The group charges patients about $198 per evaluation with state-licensed physicians.
Disclosure and Company Silence
The exposure was reported to OMA through a responsible disclosure notice, after which public access to the data was quickly restricted. However, the company has not provided any official response or public acknowledgment of the issue.
It remains unclear whether the exposed databases were managed directly by OMA or by an outside vendor. The length of time the records were left unprotected is also unknown, leaving open the possibility that third parties may have accessed the information before it was secured. Only a comprehensive forensic review could confirm if malicious activity occurred.
HIPAA and Trust Concerns
OMA advertises that all patient data is stored in a HIPAA-compliant environment, but this exposure directly undermines those assurances. If confirmed, the leak could result in regulatory scrutiny, legal consequences, and loss of patient trust.
The exposed records could be exploited for identity theft, fraud, or discrimination. Given the stigma surrounding medical marijuana use in some areas, the leak could also lead to reputational damage for affected patients.
Larger Trend in Healthcare Data Security
The incident highlights a persistent issue in healthcare: poorly secured cloud systems and third-party vendors creating massive risks for sensitive data. With 323 GB of highly confidential information left exposed, the OMA breach ranks among the more alarming cases of healthcare-related data mishandling in recent years.
For now, OMA patients and partners are left waiting for answers — and reassurance that their personal information is no longer at risk.
