Patients of a Butler County medical marijuana dispensary may have had some of their personal information compromised, but the software company at the heart of the data breach says that is unlikely.
Bloom Medicinals opened a new medical marijuana shop in tiny Seven Mile last October. A report released this week indicated that more than 30,000 medical marijuana purchasers nationally had their sensitive personal information breached. Bloom Medicinals was one of three companies in the U.S. identified in the data breach.
Privacy researchers at vpnMentor said they discovered a breach in the THSuite point-of-sale system used by Bloom and other medical marijuana companies.
THSuite, the software company targeted in the breach, said it is confident that patient information was not available to the general public.
“We recently discovered that certain customer records were potentially accessible on one of our servers for a short period,” THSuite said in a statement. “Specifically, an organization tasked with locating possible vulnerabilities located the data at a non-published network address, which has now been secured.
“We have internally found no evidence that the data was viewed by anyone other than the security analysts who notified our company that the data was potentially accessible.”
Bloom, which also has locations in Akron, Columbus, Maumee and Painesville, would not answer any questions about the situation but issued the following statement:
“At Bloom Medicinals we take patient privacy very seriously,” the company said. “We have been notified that our third-party technology provider, THSuite, may have had a vulnerability in their software architecture. We are working closely with our technology vendor to identify if any of Bloom Medicinals’ patient data has been affected. Once we conclude our investigation we will take appropriate action and provide additional updates.”
The research team at vpnMentor announced the data breach exposed information about the dispensary’s inventory, monthly sales reports, and compliance reports, as well as the following patient details:
• Full name
• Date of birth
• Medical/State ID and expiration date
• Phone number
• Email address
• Street address
• Date of first purchase
• Whether or not the patient received financial assistance for cannabis purchases
• Whether or not the patient opted in for SMS text notifications
“We were able to view the dispensary’s monthly sales, discounts, returns, and taxes paid,” vpnMentor said. “The sales were further broken down by payment method and product type.”
Thank you for reading the Journal-News and for supporting local journalism. Subscribers: log in for access to your daily ePaper and premium newsletters.
Thank you for supporting in-depth local journalism with your subscription to the Journal-News. Get more news when you want it with email newsletters just for subscribers. Sign up here.