Info on Nevada dispensary applicants exposed

A security researcher discovered this week that the personal information of more than 11,000 medical marijuana dispensary applicants in Nevada could be accessed online, a revelation that caused the state to shut down its online MMJ portal.

ZDNet first reported Wednesday that a bug in the state’s medical cannabis website allowed anyone with the right web address to access an applicant’s full name, home address, Social Security number, citizenship and physical details.

The news site said Justin Shafer, a security researcher, discovered the problem. It’s not clear if other people accessed the data.

On Wednesday evening, the Nevada Division of Public Behavioral Health acknowledged the issue, saying it is investigating a possible cyber attack on its database.

“The entire portal has been taken down,” Cody Phinney, an official with the public health division, said in a release. “To prevent further breaches, the division’s IT staff are working with state IT staff, investigating the breach.”

Nevada legalized medical marijuana back in 2000 but didn’t set up a regulated industry until 2015. It’s not evident how far back the data leak goes.

3 comments on “Info on Nevada dispensary applicants exposed
  1. Michelle on

    This is most unfortunate. If state entities would treat these medical programs truly like medicine-dispensing programs and put patient privacy and security protections in place (like HIPAA) perhaps this would not happen. Instead of stressing all of the money that can be made on the backs of patients, we would do well for ourselves to protect the backs upon which this industry is made: patients. Before you comment that cannabis is not Federally legal and therefore HIPAA doesn’t apply, I’d advise that you spend 2 minutes to educate yourself HIPAA: HIPAA is series of mandates that stipulate how to protect the privacy and security of patient INFORMATION, not a series of mandates related to federally legal drugs. HIPAA stipulates that if you are handling any ONE of 18 pieces of personally identifiable information such as name, address, picture, SS#, health condition, medical identification number, DOB, etc., health entities HAVE TO secure and protect that info particularly. HIPAA is the ‘standard of care’. Think about it: when you go to the dentist, you want to know that her staff is HIPAA trained and will not act irresponsibly with your private info. Cannabis patients and caregivers have the same expectation of care: they want their health info protected and secured, too.

    Reply
    • Andrew on

      This is about the database of business license applicants, NOT patients. If you click through to the articles, “The state said no private medical marijuana patient information was disclosed.”

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *