How many records were exposed in the Ohio Medical Alliance database?

The exposed database contained 957,434 records. However, it's not certain that each record pertains to a different patient. At least 200,000 individuals are estimated to be exposed based on the exposed clients and partners, including approximately 210,620 email addresses.

What type of sensitive information was exposed in the Ohio Medical Alliance breach?

The exposed data includes high-resolution images of driver's licenses and identification documents, names and physical addresses, dates of birth and license numbers, patient intake forms and medical records, medical release forms, physician certification forms containing Social Security numbers, mental health evaluations including PTSD and anxiety conditions, medical documents indicating patients' diagnoses and reasons for seeking medical marijuana prescriptions, approximately 210,620 email addresses, and internal communications and staff comments about clients.

How was the Ohio Medical Alliance data exposure discovered and resolved?

Cybersecurity researcher Jeremiah Fowler discovered the exposed database and sent a responsible disclosure notice to OMA. The database was restricted from public access the following day after the notification.

Did Ohio Medical Alliance respond to the researcher who discovered the breach?

No, the researcher did not receive any reply to the responsible disclosure notice from Ohio Medical Alliance, despite the database being secured the day after notification.

What file formats were found in the exposed Ohio Medical Alliance database?

The majority of files in the database were in PDF, JPG, and PNG formats, with one CSV document named 'staff comments' containing internal communications, notes about clients, appointments, status, and personal situations.

What medical conditions were referenced in the exposed Ohio Medical Alliance data?

The exposed data included mental health evaluations for conditions including PTSD and anxiety, as well as medical documents indicating patients' various diagnoses and reasons for seeking medical marijuana prescriptions for qualifying health conditions.

Is it known who was responsible for managing the exposed database?

It is not known if the database was owned and managed directly by Ohio Medical Alliance or by a third-party contractor. The ownership and management structure of the exposed database has not been disclosed.

How long was the Ohio Medical Alliance database exposed?

It is not known how long the database was exposed before discovery, or if anyone else may have gained access to it prior to the researcher's discovery and responsible disclosure.

What makes this Ohio Medical Alliance data exposure particularly sensitive?

This breach is particularly sensitive because it involves medical marijuana patient records, including mental health evaluations, medical diagnoses, high-resolution ID images, Social Security numbers, and detailed personal medical information that could be used for discrimination or other harmful purposes if misused.

Incident

Medical marijuana provider Ohio Medical Alliance leaks one million patient records

published: Aug. 19, 2025

Learn More

Cybersecurity researcher Jeremiah Fowler discovered and reported an exposed database that contains 957,434 records belonging to Ohio Medical Alliance LLC (OMA), an Ohio-based organization operating under the brand "Ohio Marijuana Card".

Ohio Medical Alliance is a telemedicine and in-person provider that provides evaluations for a wide range of qualifying health conditions through state-licensed doctors. ccording to their website, OMA has helped over 330,000 patients nationwide access medical marijuana.

Fowler sent a responsible disclosure notice to OMA, and the database was restricted from public access the following day. The researcher did not receive any reply to the responsible disclosure notice.

The majority of files in the two databases were in PDF, JPG, and PNG formats, with one CSV document named "staff comments" containing a large amount of internal communications, notes about clients, appointments, status, and personal situations. The exposed records exposed data includes:

High-resolution images of driver's licenses and identification documents
Names and physical addresses
Dates of birth and license numbers
Patient intake forms and medical records
Medical release forms
Physician certification forms containing Social Security numbers
Mental health evaluations including PTSD and anxiety conditions
Medical documents indicating patients' diagnoses and reasons for seeking medical marijuana prescriptions
Approximately 210,620 email addresses of clients and internal employees or business partners
Internal communications and staff comments about clients, appointments, and personal situations

The number of affected individuals is not disclosed. The number of exposed records is 957,434 but it's not certain that each record pertains to a different patient. At least 200,000 individuals are exposed based on the exposed clients and partners.

It is not known if the database was owned and managed directly by OMA or by a third-party contractor, how long the database was exposed before discovery, or if anyone else may have gained access to it.

No official statement or notification has been published by Ohio Medical Alliance regarding this incident. The company has not disclosed whether law enforcement or regulatory authorities have been notified about the data exposure.

Medical marijuana provider Ohio Medical Alliance leaks one million patient records

Read More
Ransomware gang attacks Maryhaven addiction and treatment centers
Pembina County Memorial Hospital reports data breach
Corewell Health reports second third party data breach …
AlohaCare reports MOVEit related data breach, impacts 12k …
Marshfield Clinic Health System reports email account compromise …