Privacy researchers at vpnMentor discovered a breach in a point-of-sale system used by Bloom and other medical marijuana companies.
They said the data breach exposed information about the dispensary’s inventory, monthly sales reports, and compliance reports, as well as the following patient details:
• Full name
• Date of birth
• Medical/State ID and expiration date
• Phone number
• Email address
• Street address
• Date of first purchase
• Whether or not the patient received financial assistance for cannabis purchases
• Whether or not the patient opted in for SMS text notifications
“We were able to view the dispensary’s monthly sales, discounts, returns, and taxes paid,” the company reported. “The sales were further broken down by payment method and product type.”
In Ohio, patients can only use cash to purchase their prescriptions.
Ali Simon, a spokeswoman for the State of Ohio Board of Pharmacy that regulates the dispensaries, said Bloom is the only Ohio cannabis company that uses the THSuite point-of-sale system in question.
“The board takes any breach of data security and private patient information very seriously,” Simon wrote. “The board cannot comment at this time, but is looking into this issue.”
Bloom could not immediately be reached for comment.
The Seven Mile location opened last October on Main Street.
About the Author