A data breach in the cannabis point-of-sale system THSuite leaked more than 85,000 files from dispensaries throughout the U.S., including more than 30,000 records containing personally identifiable information, according to vpnMentor, the firm that discovered the breach.

The breach was first discovered by researchers on Christmas Eve 2019 and was closed on January 14. The data, which was discovered in an unsecured and unencrypted Amazon S3 bucket owned by THSuite, includes full names, dates of birth, phone numbers, email addresses, street addresses, medical cannabis program identification numbers, cannabis type and quantity purchased, transaction costs, and date-of-purchase. Medical cannabis patient medical histories were also discovered in the data breach, along with scans of government-issued and employee IDs.

“At the very least, THSuite should investigate to find out how this data breach occurred and implement new security procedures to make sure something like this never happens again.” – vpnMonitor, in its January 22 report.

The records found in the breach belong to three different dispensaries: Maryland’s AmediCanna, Ohio’s Bloom Medicinal, and Colorado Grow Company; but vpnMentor said its possible that all of THSuite’s clients and customers were affected. The report notes that the bucket contained “so much data” that it wasn’t possible for the researchers to examine all of the records individually to see what else could have been exposed.

Under the Health Insurance Portability and Accountability Act (HIPAA), exposing protected health information that could be used to identify an individual is a federal crime and violations can lead to fines of $50,000 for every exposed record and potential jail time.

In a statement to Cleveland.com, Bloom Medicinal said the company is working with THSuite and once they have identified any affected patients would contact them “and follow all HIPAA breach requirements.”

According to vpnMentor, the leaked details could be used to create elaborate and effective phishing attacks and could lead to identity theft.

470 ENGAGEMENTS Facebook Twitter Linkedin

End