When medical marijuana first rolled around, many patients were anxious about the idea of their names sitting on government lists of marijuana patients. Their concern, however, was focused on the idea that the state or federal government might decide to start arresting patients. More than a decade and half later, those fears have largely vanished, but recent events in Nevada serve as a reminder that the potential for cannabis arrests are not the only reason to be concerned about where your personal data sits. Over the past week, the personal details of over 11,000 Nevada medical marijuana applications have been made publically available due to what appears to be bad data management and security practices by the State of Nevada.
As reported by ZDNet, an error in the way that the application database was indexed meant that through a Google search, it was possible to locate the ostensibly confidential application data of individuals applying to dispense medical marijuana in the state. Each eight page application included the applicant’s, name, sex, date of birth, social security number, race, height, weight, and driver’s license number.
The Nevada Department of Health and Human Services, the state agency responsible for the medical marijuana program, reports that it has now taken the database offline, though we are unable to verify this statement. As required by Nevada state law, the Department will notify affected applicants of the data breach over the next several days.
With data hacking ever more frequently in the news, it is disheartening to see this confidential and personal data released not due to the covert actions of a malicious individual, but because of simple carelessness with regards to database management at the Nevada Department of Health and Human Services. Dispensary applicants deserve better. Instead, they are now vulnerable to identity theft and fraud.