Medical marijuana portal exposes thousands of Social Security numbers

The data was available with a simple Google search.

Feb 28, 2020, 6:20 pm*

Tech

Andrew Couts 

Andrew Couts

Photo via danielfsnink/Flickr

Nevada’s medical marijuana application system has exposed the personal information of thousands of dispensary applicants, the Daily Dot has learned. 

A vulnerability in Nevada’s Medical Marijuana Program portal makes available on the open internet the full, unredacted PDFs of over 11,700 dispensary applications, which include names, phone numbers, home addresses, dates of birth, driver’s license numbers, and complete Social Security numbers. 

DPBH

The unsecured database, discovered by medical-industry security researcher Justin Schafer, remained exposed a week after the Nevada Division of Public and Behavioral Health (DPBH), which operates the portal, brought the system back online after a security “problem” forced the agency to take it down Dec. 8. 

The portal was taken offline following media reports about the exposed applications.

The DPHB was “given the go ahead” to bring the Medical Marijuana Program portal back online on Dec. 15, Joe Pollock, deputy administrator of the DPHB, told the Las Vegas Review-Journal on Dec. 21. Pollock said the agency did “not have any evidence at this time that indicates the data in the Portal has been compromised.”

Shafer says he discovered the data-revealing PDFs after a simple Google search. The Daily Dot was able to recreate the search, which displayed one applicant’s Social Security number on the Google Search page. 

The PDF’s URL exposed by the Google search allows anyone to access thousands of other completed applications because of the way the PDFs are indexed. The Daily Dot is not publishing the URL out of caution for the applicants affected by the vulnerability.

NORML estimates that Nevada has some 20,773 registered medical marijuana patients. 

The Daily Dot left voicemails with a number of people exposed by the leaky database to alert them to the vulnerability and confirm they applied to work in medical marijuana dispensaries. One of the applicants, who asked not to be named, confirmed that he registered with the Nevada Medical Marijuana Program and confirmed the personal information included on an application viewed by the Daily Dot.

In a statement, Nevada DPBH said it was investigating a “cyberattack” on its system and reassured Nevada residents that, at this time, all “private patient information is considered to be secure.” 

“The entire portal has been taken down,” Cody Phinney, DPBH administrator, said in a statement. “To prevent further breaches, the Division’s IT staff are working with state IT staff, investigating the breach. We appreciate everyone’s patience during this difficult time. As more information is known, the public will be notified.”

DPBH said it has contacted a number of credit-reporting services to alert them that a number of dispensary applicants’ personal information was exposed. DPBH has also contacted law enforcement agencies “for further investigation.”

Update 11am CT, Dec. 28: The Medical Marijana Program system hosting the exposed PDFs is currently inaccessible.

Update 11:45am CT, Dec. 28: A spokesperson for Nevada’s state government tells ZDNet that they have taken the system offline and plan to notify affected applicants within days.

Update 6:45pm CT, Dec. 28: Added comment from DPBH.

Correction: The applications exposed by the vulnerability are of people who registered to work in medical marijuana dispensaries. We regret the error.

Share this article
*First Published: Dec 28, 2016, 11:21 am