The industry’s complacency and the drug’s persisting taboo leave customers distinctly vulnerable

Last month came news that as many as 30,000 individuals may have been impacted by a data breach affecting a number of US marijuana dispensaries.

Researchers at vpnMentor discovered the exposed data in an unsecured and unencrypted Amazon S3 bucket owned by cannabis point-of-sale (POS) system provider THSuite.

Data included full names, dates of birth, phone numbers, emails, street addresses, and medical ID numbers, as well as the amount and variety of cannabis purchased, the transaction cost and more.

It related to patients of Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company, amongst many others: “It’s possible that all THSuite clients and their customers were involved,” said the researchers.

Big business, bigger responsibilities

Medical marijuana is already big business in the US. According to Grand View Research, sales of legal cannabis amounted to a massive $11.9 billion in 2018, and are anticipated to expand at 24% annually until 2025.

The THSuite breach highlights the privacy risks associated with this burgeoning industry, but it’s not the first: POS provider MJ Freeway experienced a data breach and two cyber-attacks in 2016 and 2017, while in Canada an electronic medical record system used by Natural Health Services was compromised in 2018.

A medial marijuana dispensary in Ypsilanti, Michigan

The danger may be increased by the fact that many industry players are start-ups that may underestimate the risks.

“As cannabis dispensaries set up shop, most don’t think themselves mature enough to invest in cybersecurity and don’t understand the implications of privacy on their business,” Forrester analyst Alla Valente told The Daily Swig.

“Perhaps they falsely believe that they’re too small to be a target – however, they’re dead wrong. This lack of security coupled with the treasure trove of PII and PHI data makes them a prime target, and frankly the low hanging fruit for cybercriminals.”

Indeed, according to a vpnMentor spokesperson, THSuite was slow to take the breach seriously.

“I can confirm that we reached out to THSuite on a few different email addresses on the 26th of December, and they never got back to us,” they told The Daily Swig. “As nobody replied, we reached out to Amazon on the 7th of January, to make sure the data would be secured.”

Marijuana legalization in the US: a timeline

  • 1996 – Medical marijuana legalized in California
  • 1998 – Medical marijuana legalized in Alaska, Washington, and Oregon
  • 1999 – Medical marijuana legalized in Maine
  • 2000 – Medical marijuana legalized in Colorado, Hawaii, and Nevada
  • 2004 – Medical marijuana legalized in Montana and Vermont
  • 2007 – Medical marijuana legalized in New Mexico and Rhode Island
  • 2008 – Medical marijuana legalized in Michigan
  • 2009 – Medical marijuana legalized in New Jersey
  • 2010 – Medical marijuana legalized in Arizona and District of Columbia
  • 2011 – Medical marijuana legalized in Delaware
  • 2012 – Medical marijuana legalized in Massachusetts
  • 2012 – Recreational marijuana legalized in Colorado and Washington
  • 2013 – Medical marijuana legalized in Illinois and New Hampshire
  • 2014 – Medical marijuana legalized in Minnesota and New York state
  • 2014 – Recreational marijuana legalized in Alaska, District of Columbia, and Oregon
  • 2016 – Medical marijuana legalized in Arkansas, Florida, North Dakota, Ohio, and Pennsylvania
  • 2016 – Recreational marijuana legalized in California, Massachusetts, and Nevada
  • 2017 – Medical marijuana legalized in West Virginia
  • 2018 – Medical marijuana legalized in Oklahoma
  • 2018 – Recreational marijuana legalized in Vermont

Do cannabis dispensaries fall under HIPAA?

With marijuana now widely classified in the US as a medical product, the issue arises as to whether cannabis dispensaries should be subject to Health Insurance Portability and Accountability Act (HIPAA) rules.

HIPAA regulations make it a federal crime for any healthcare provider to expose protected health information (PHI) that could be used to identify an individual. Fines can reach $50,000 for every exposed record.

But, says Bryan Repetto of Royse Law, it’s not always obvious whether a marijuana dispensary falls under HIPAA rules – and official guidance is lacking.

“Whether a cannabis-related entity could be considered a healthcare provider would depend on whether it’s licensed as such by a state, and whether it provides services other than dispensing cannabis,” he told The Daily Swig.

“If cannabis was distributed by a medical practice, which is a covered entity, or a retail pharmacy, HIPAA regulations would be applicable.”

Legal weed is now big business in North America, but the industry must take its customers’ privacy seriously

That isn’t to say, however, that dispensaries falling outside this definition can get away with a data breach, thanks to other privacy regulations.

“These vary by state, but in the event of a breach, clients may have remedies available under other laws and enforcement action can be taken by a state attorney general,” said Repetto.

The implications for customers are also unclear.

“There’s a chance that their personal data is being used in identity fraud, that payment information like credit card numbers are being used to make purchases, that personal health information is being used for insurance fraud,” said Forrester’s Alla Valente.

However, the confused nature of drug laws in the US mean that there are other possible implications. Under federal law, marijuana is illegal, meaning that those who partake in one state could find themselves in trouble if, for example, they work in another.

There’s a distinct possibility that stolen data could, as when infidelity-enabling website Ashley Madison was hacked in 2015, be used for blackmail.

“There are so many implications for individuals,” said Valente, “and as the sophistication of cybercriminals continues to grow, that data will undoubtedly be used in ways we haven’t yet dreamed of.”

READ MORE Bridging the gap: US federal agencies to aid greater state-level cyber protection