A point of sale vendor for at least three cannabis dispensaries in the United States exposed the personal data of at least 30,000 cannabis users, including full names, photo IDs, dates of birth, telephone numbers, home addresses, medical ID numbers, email addresses, signatures, cannabis variety and quantity purchased, and sales figures when it failed to password protect the information online.

According to security researchers, the exposure of the information in the cloud occurred between December 24, 2019, and January 14, 2020, when 85,000 files were left unprotected in a cloud database. They “were able to access…the database because it was completely unsecured and unencrypted. We could access all files hosted on the database.”

Two of the dispensaries that used the third-party point of sale vendor dispense medical marijuana, while the third dispenses cannabis for recreational use.

According to the security researchers at vpnMentor, “This raises serious privacy concerns. Medical patients have a legal right to keep their medical information private.” Others have commented that the information could be used by threat actors for targeted scams, sophisticated phishing attacks, or embarrassment and shame scams.

One of the dispensaries admitted that its users’ information may have been involved, and that it will identify and notify any affected individuals as required under HIPAA.