#Privacy: Data breach exposes US cannabis users

THSuite, a point-of-sale system in the cannabis industry, has exposed the personally identifiable information (PII) of over 30,000 US Cannabis customers. 

On December 24, 2019, the vpnMentor’s research team, led by privacy researchers Noam Rotem and Ran Locar, discovered an unsecured Amazon S3 bucket without any authentication or security online. 

The database was identified as being owned by THSuite, a company offering business process management software services to cannabis dispensary owners and operators in the US. 

“Cannabis dispensaries have to collect large quantities of sensitive information in order to comply with state laws.The THSuite platform is designed to simplify this process for dispensary operators by automatically integrating with each state’s API traceability system. As a consequence of this, the platform has access to a lot of private data related to dispensaries and their customers,” explained vpnMentor. 

According to the research team, over 85,000 files were leaked in the breach, including over 30,000 records with sensitive PII. 

The breach involved data from AmediCanna Dispensary, a medical marijuana dispensary located in the state of Maryland. The full names of patients and staff members, phone numbers, dates of birth, email addresses, physical addresses, medical ID numbers, cannabis used, price, quantity, and receipts were all available to view by anyone. 

The data breach also exposed information about Bloom Medicinals, an Ohio-based medical marijuana dispensary and Colorado Grow Company, a recreational marijuana dispensary located in the city of Durango, Colorado. 

The breach raises serious privacy concerns as extremely sensitive information about medical marijuana patients was exposed. 

“Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally,” said vpnMentor.

Additionally, threat actors can take advantage of the exposed details and create personalised phishing attacks or even commit identity theft.

Currently under HIPAA regulations, it is a federal crime in the US for any health services provider to expose protected health information that could be utilised to identify an individual. Those found violating HIPAA can face fines up to $50,000 for every exposed record, or even jail time. 

Affected customers are recommended to speak directly with their provider to find out if they are using THSuite or have done so in the past. 


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/