Data Breach Summary
In a significant breach of patient confidentiality and data security, an unprotected and publicly accessible database containing more than 957,000 sensitive medical records has been discovered. The breach appears to involve Ohio Medical Alliance LLC (OMA), a multi-state telemedicine provider operating under the brand Ohio Marijuana Card, which assists patients in obtaining medical marijuana certifications.
The database, totaling 323 gigabytes, was found online without password protection or encryption. According to reports, the data allegedly contained high-resolution images of government-issued IDs, including driver’s licenses, as well as intake forms, mental health evaluations, medical records, release forms, and physician certifications—many of which included full names, addresses, dates of birth, license numbers, and Social Security numbers. Some folders were even labeled with patients’ first and last names.
A sampling of the data revealed highly personal and sensitive information: medical marijuana evaluations for conditions such as PTSD, anxiety, and other mental health disorders, as well as internal staff notes, emails, appointment logs, and other communications. One CSV file labeled “staff comments” alone contained more than 210,000 email addresses, many tied to clients, employees, and business partners.
The breach, now closed after the researcher sent a responsible disclosure notice to OMA, raises critical concerns. While the database is no longer accessible, OMA never responded to the notification, and it remains unclear how long the data was publicly exposed or whether malicious actors accessed it during that time.
The nature of the exposed records could create substantial risks. These include:
Identity theft and financial fraud: Social Security numbers and ID images can be used to open fraudulent accounts.
Medical identity theft: Unauthorized access to healthcare services using stolen medical information.
Harassment or extortion: Disclosure of sensitive mental health or marijuana-related diagnoses could be weaponized against individuals.
Stigma and reputational damage: In states or social circles where medical marijuana use is controversial, privacy breaches could lead to discrimination or judgment.
The breach also included medical record release forms, which, in the wrong hands, could be used to impersonate patients and gain unauthorized access to additional healthcare data.
Although no cases of identity fraud linked to this incident have been reported, we advise clients to:
Activate the free Experian credit monitoring provided
Review credit reports and healthcare statements for suspicious activity
Consider placing a Fraud Alert or Security Freeze on credit files
If you received a notification about the breach, you may want to explore your legal options. Ohio Medical Alliance to protect sensitive patient data has potentially exposed individuals to identity theft and other risks. You could be eligible to join a class action lawsuit against Ohio Medical Alliance District for damages caused by the breach.
To determine if you qualify for the class action lawsuit or need further legal support, contact Class Action U for a free consultation. Our legal experts can help you navigate the next steps and ensure that your voice is heard in the fight for justice and accountability.
©2024 ClassActionU
