Tens of thousands of cannabis users’ personal data has been exposed, including information belonging to medical marijuana patients, due to a breach of a sales system used throughout the industry.

Internet privacy researchers at vpnMentor discovered the data breach in THSuite, a cannabis point-of-sales system. The exposed data was discovered in a completely unsecured and unencrypted Amazon S3 bucket owned by the company.

The data was first discovered on Christmas Eve of 2019. vpnMentor’s researchers, led by Noam Rotem and Ran Locar, contacted THSuite soon after. The exposed database was finally closed on Jan. 14 of this year.

The THSuite data breach affects multiple marijuana dispensaries across the United States. In all, vpnMentor reports that more than 85,000 files were leaked in the data breach, which includes more than 30,000 sensitive records containing personally identifiable information.

The type of information in this leaked database is very concerning, especially as it pertains to patient medical history in some cases. Personal data found among the records include: full name, date of birth, phone number, email, street address, patient name and medical ID number, cannabis variety and quantity purchased, total transaction cost, date received, and more.

Photographs of scanned government and employee IDs were also discovered in the breach.

According to vpnMentor, its researchers verified records belonging to three different marijuana dispensaries: AmediCanna Dispensary, a medical marijuana dispensary located in Maryland, Bloom Medicinals, a medical marijuana dispensary with multiple locations throughout Ohio, and recreational dispensary Colorado Grow Company.

The privacy researchers note in their report, however, that the breach is far-reaching and affected more dispensaries than the specific ones listed. In fact, the vpnMentor report states that there’s a possibility that all of THSuite’s clients and its customers were affected.

The report notes that the data makes the affected parties susceptible to scams and sophisticated phishing attacks. It also points out that the breach could result in fines for the dispensaries due to the possible violations under HIPAA regulations.