13 comments

[ 2.9 ms ] story [ 44.2 ms ] thread
Nearly a million records, which appear to be linked to a medical-cannabis-card company in Ohio, included Social Security numbers, government IDs, health conditions, and more.
So are people storing these things in a non-HIPAA-compliant way or is this mostly attributable to some other vector that would not have been helped by compliance?

What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/

my neighborhood weed guy would never betray my trust in this way.
free bank accounts for money laundering

(new account online, new coinbase account online, stuff new account with cash, transfer to coinbase, transfer onchain, swap to monero, wait, access all with new mac address, new wifi, new browser session, or Tor if the services allow)

daily reminder that KYC is a joke, the institutions and enforcement agencies that think it works, don’t know when its not working as long as a real id and ssn and address is used

  Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 957,434 records. The database belongs to an Ohio-based organization that helps individuals obtain physician‑certified medical marijuana cards. The database held PII, drivers licenses, medical records, documents containing SSNs, and other internal potentially sensitive information.
So, the absolute bare minimum was not followed. Just wide open database containing medical information.
One more thing to note here: anybody in this database that is also part of the OPM leaks or holds a federal job (or is a trucker or other non-drug requirement) will now be compromised and subject to blackmail.

If the dots are connected they will lose their jobs. Full stop.

> As legal cannabis has expanded around the United States for both recreational and medical use, companies have amassed troves of data about customers and their transactions.

And that should be treated as a massive liability, where one breach wipes out your company with lawsuits. And the wronged parties can go after the assets of executives and maybe even investors, due to willful criminal negligence.

If there's any justice, the "greed is good" techbro industry will finally be told that the sociopathic combination of systemic surveillance/stalking and gross indifference about even basic security is over.

What if like... man... what if it was all vibe coded? huhuhuh!
Publicly accessible, not password protected, not encrypted. That is insanity.