30,000 cannabis users information was leaked

Medical and recreational marijuana pharmacy database support sales system, THSuite was leaked. This database involves nearly 30,000 users related to the medical and recreational cannabis industry.

The database was leaked and found on December 24, 2019. The database is owned by THSuite. It is reported that the VPNMentor research team led by Noam Rotem and Ran Locar said that without any authentication or security measures, they found an insecure Amazon S3 bucket on the Internet, which was the source of the data leak.

At present, in some states in the United States, citizens can take medical marijuana legally. However, relevant pharmacies must adhere to strict legal standards to prevent users from abusing or violating state laws. Therefore, an automated system like THSuite can make it easier for the operator to follow and play a role in recording data.

According to VPNMentor experts, the incident exposed sensitive information about U.S. marijuana users, and more than 85,000 files were exposed. The leaked information includes

• Patient name and medical ID number
• Employee name
• Cannabis variety purchased
• Quantity of cannabis purchased
• Total transaction cost
• Date received, along with an internal receipt ID

“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual. HIPAA violations can result in fines of up to $50,000 for every exposed record, or even in jail time,” concludes VPNmentor.