Butler County medical pot store says business boomed in first months

Credit: DaytonDailyNews

caption arrowCaption
Bloom Medicinals medical marijuana dispensary opens in Seven Mile

Credit: DaytonDailyNews

The fledgling medical marijuana industry was hit by a report of a large patient data breach last week, but the Butler County dispensary involved said patient confidentiality should be secure and their operation is thriving overall.

Bloom Medicinals opened a new medical marijuana shop in tiny Seven Mile last October. A report released last week indicated that more than 30,000 medical marijuana purchasers nationally had their sensitive personal information breached. Bloom Medicinals was one of three companies in the U.S. identified in the data breach.

Privacy researchers at vpnMentor discovered a breach in the THSuite point-of-sale system used by Bloom and other medical marijuana companies.

The software company said it is confident patient information was not available to the general public.

“We recently discovered that certain customer records were potentially accessible on one of our servers for a short period. Specifically, an organization tasked with locating possible vulnerabilities located the data at a non-published network address, which has now been secured,” the company said in a statement. “We have internally found no evidence that the data was viewed by anyone other than the security analysts who notified our company that the data was potentially accessible.”

Bloom, which also has locations in Akron, Columbus, Maumee and Painesville issued the following statement:

“At Bloom Medicinals we take patient privacy very seriously. We have been notified that our third-party technology provider, THSuite, may have had a vulnerability in their software architecture. We are working closely with our technology vendor to identify if any of Bloom Medicinals’ patient data has been affected. Once we conclude our investigation we will take appropriate action and provide additional updates.”

The research team at vpnMentor announced the data breach exposed information about the dispensary’s inventory, monthly sales reports, and compliance reports, as well as patient details such as birth dates, address and phone number and other information.

“We were able to view the dispensary’s monthly sales, discounts, returns, and taxes paid,” the company reported. “The sales were further broken down by payment method and product type.”

Patients can only use cash to purchase their prescriptions at the majority of the dispensaries, including Bloom, because banks don’t generally want to deal with pot. A position paper by the American Bankers Association explains why.

“Possession, distribution or sale of marijuana remains illegal under federal law, which means any contact with money that can be traced back to state marijuana operations could be considered money laundering and expose a bank to significant legal, operational and regulatory risk,” the paper reads.

Ali Simon, a spokeswoman for the State of Ohio Board of Pharmacy that regulates the dispensaries, said Bloom is the only Ohio medical marijuana company that uses the THSuite point-of-sale system in question. The board had no comment.

As of Jan. 15, the 48 dispensaries statewide sold $60.6 million worth of prescription pot to 55,617 patients since the statewide program began in January 2019. There are about 78,500 registered patients.

MORE: Data breach may have affected Butler County medical marijuana customers

Andrew Wagner, head of operations for Bloom, declined to comment on the breach. He said business has been strong since the shop opened with nine employees, and it now employs 11 people.

“Business has been good, we’ve been able to assist many patients in providing relief with medical cannabis,” he said. “We are very pleased with our progress to date and look forward to continued growth.”

The tiny hamlet north of Hamilton seemed an odd location to many, but Wagner said patients have been coming to the store from as far as 45 minutes away.

“Our first several months in Seven Mile have been busy and exciting,” Wagner said “There are always new challenges that keep us on our toes but all the hard work pays off when you receive positive feedback from patients letting you know medical cannabis is improving their lives.”

The only other shop in Butler County is Strawberry Fields in Monroe, but there may be more locations allowed in the future. Strawberry Fields was not implicated in the reported data breach.

“We’re going to start examining the number of patients and looking at opportunities for potential additional dispensaries,” Cameron McNamee, director of policy and communication for the Ohio Board of Pharmacy, said previously. “We made it clear that the program is flexible, so that’s why we started with a smaller number and it will grow with the demand of the patients in Ohio.”

About Wellness Ohio in Lebanon was the first to open in this area last May, and Bloom and Strawberry Fields opened in October.

“We went into this having no expectations, this was a completely new program and so I think the board of pharmacy, our focus has always been having a patient safe and centered program,” Simon said. “So we’ve approached every month looking at it from that perspective.”

About the Author