| ▲ | Medical cannabis patient data exposed by unsecured database(wired.com) |
| 69 points by hacker_yacker 2 days ago | 70 comments |
| |
|
| ▲ | shifty1 2 days ago | parent | next [-] |
| https://archive.is/Mp0qt |
|
| ▲ | 0cf8612b2e1e 2 days ago | parent | prev | next [-] |
| Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 957,434 records. The database belongs to an Ohio-based organization that helps individuals obtain physician‑certified medical marijuana cards. The database held PII, drivers licenses, medical records, documents containing SSNs, and other internal potentially sensitive information.
So, the absolute bare minimum was not followed. Just wide open database containing medical information. |
| |
| ▲ | firefax 2 days ago | parent [-] | | More evidence cannabis needs to be recreational. We can let people use their FSA money for it and/or give a steep discount to people who "really" need it, like cancer patients... but I think a lot of people who bounce between Anyways, there are a LOT of little fly by night outfits that "help" you get a medical card in many states. It's a joke, and all it does is empower the same type of person who used to be a pill doctor to rent seek, and it's not at all a surprise one had poor data practices. | | |
| ▲ | recursive 2 days ago | parent | next [-] | | This seems totally unrelated to whether cannabis should be recreational. If my insurance company leaked my PHI, that would certainly not be evidence that any of my prescriptions should be OTC. | | |
| ▲ | firefax 2 days ago | parent | next [-] | | >This seems totally unrelated to whether cannabis should be recreational. Basically, they only pretend it's "medical" in order to gatekeep and rentseek care. Since they are interested in profit rather than actual services, their systems tend to have many issues. | |
| ▲ | amy_petrik a day ago | parent | prev | next [-] | | I mean... if you ask me prescriptions for things like cholesterol or blood pressure should be OTC, benefit outweighs the risk. Nobody is getting high off statins. Imagine how much that would save our healthcare system. Insulin is the one dubious thing because it can be very deadly if misused... and it IS in fact OTC because it can be deadly if unavailable, benefit outweighs the risk. | | |
| ▲ | AlecSchueler a day ago | parent | next [-] | | Insulin is very much not "the one" dubious thing. There are very many things which are prescribed these have abuse potential and which could be deadly if misused. | |
| ▲ | to11mtm a day ago | parent | prev [-] | | > Nobody is getting high off statins. I mean, fun story time; back in 2014 my dad's house was broken into, and among other things they stole was a bottle of a benzo, and while most of my dad's medications were untouched they stole his blood pressure meds. As I was opining this to a colleague, another employee that was within earshot explained that no, for certain things it can 'enhance' the high... go figure. | | |
| ▲ | firefax 11 hours ago | parent [-] | | I am fairly knowledgeable about drug abuse but was not aware of that, maybe your coworker was slightly telling on themselves? (Sadly mostly through dealing with others navigating it, in case anyone is jonesing for judgement.) |
|
| |
| ▲ | hacker_yacker 2 days ago | parent | prev [-] | | IMHO only reason cannabis is illegal is it's a threat to Pharma Industry, Pharma Lobby, aka organized, legal crime. | | |
| ▲ | Krssst 2 days ago | parent | next [-] | | Despite some of the discourse there are some long term side-effects (though it seems mostly especially bad for adolescents where stopping consumption does not revert the impact on cognitive function): https://en.m.wikipedia.org/wiki/Long-term_effects_of_cannabi... Then it's a societal choice between the benefits of easier access to it for medical use (non-OTC drugs are harder to get when you need them) plus lower burden on law enforcement when it does not have to deal with this anymore, and the opportunity cost to society when some people don't use it responsibly and waste their chances. I see positives and negatives for both choices. (I don't believe other drugs being legal is an argument, alcohol and tobacco wouldn't be legal if discovered today but because they have widespread use it's impossible to forbid them) | | |
| ▲ | kjkjadksj 2 days ago | parent [-] | | Cannabis is widely used today. Half of US adults have smoked it at one point of their life. 20% regularly smoke it. We are at the point where more people use it than alcohol in the US. | | |
| ▲ | carlmr a day ago | parent | next [-] | | >We are at the point where more people use it than alcohol in the US. Citation needed on that one. | | | |
| ▲ | Krssst a day ago | parent | prev [-] | | From the standpoint of "hard to ban what's used by a large part of the population" this does justify legalization indeed. I don't have strong opinions on this, I was mostly a bit triggered by the parent's comment weird theory that "cannabis was only forbidden because of criminal big pharma". (I assumed "only reason" implied that they thought it was a safe drug without side-effects or risks; all (medical/non-medical) drugs have side-effects and risks so not being 100% safe isn't a reason for banning by itself, but that's a factor in the risk/benefit balance). | | |
| ▲ | AlecSchueler a day ago | parent | next [-] | | > From the standpoint of "hard to ban what's used by a large part of the population" this does justify legalization indeed. I think they meant more that the negative effects don't seem that big because most people are ok even with such a large proportion of people already being experienced with it. > triggered by the parent's comment weird theory that "cannabis was only forbidden because of criminal big pharma". I don't believe it was either but I'm not sure your counter evidence really works. The science that you alluded to about long term effects all significantly post-dates the ban so couldn't have played a role in it. | |
| ▲ | a day ago | parent | prev [-] | | [deleted] |
|
|
| |
| ▲ | 2 days ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | reactordev 2 days ago | parent | prev | next [-] | | I could get behind this so long as there’s still limits on your person and in public places. Colorado has a great system. However, legalization has only created weed monopolies by abuse of the law language. Essentially making it illegal for smaller shops to compete. Those same people are the ones contracting out these systems with local governments. | | |
| ▲ | kjkjadksj 2 days ago | parent [-] | | The limits don’t really make sense either. Plenty of people grow for personal use and all of them will be in violation considering the yield from a single outdoor plant could be well over a pound dry. | | |
| ▲ | reactordev a day ago | parent [-] | | If you grow for personal use, why are you transporting it? I’m fine with storing as much as you like as home. If it’s legal across the US then this doesn’t really matter at all. I’m talking about limits on your person, for personal use, when not at home, in public. I don’t want to smell like a Rastafarian when I go to work. | | |
| ▲ | kjkjadksj a day ago | parent [-] | | To smoke with others? | | |
| ▲ | reactordev 15 hours ago | parent [-] | | Do you need a kg to do that or is an ounce enough? I feel like an oz is enough to transport to your friends and get them all passed out. Which in some states the limit is 2 oz. | | |
| ▲ | kjkjadksj 13 hours ago | parent [-] | | Why even limit it though? I can bring ten thousand cans of beer to my friends house I don’t see why this is any different. It is just designed to still have a mechanism to entrap people is why. If dealing without a commercial license is already illegal, then having some personal amount limit is redundant if that is supposedly the reason for it. |
|
|
|
|
| |
| ▲ | metalman a day ago | parent | prev [-] | | ya, here in Canada(caniba), nobody much cared what someone smoked or why, as long as they did it down wind and out of sight since forever, and I have heard irrate little ones admonishing adults "your not supposed to do that around us!" and grown adults eye rolling and moving off....now there are certain parks for the weed heads, and various semi legal stores and some government weed outlets, but as it's not called weed for nothing, millions grow the little they want for personal use, and for people wanting it for medical reasons, there is a vast network of people helping people.
We went through the whole "certified medical canabis" thing, and it collapsed under overwhelming demand, and the impossibility of scaling the management, where the police and courts flat out refused to try and untangle the "legitimate" and "unligitimate", and we are back to what it was in the past with an informal understanding of ....go down wind and out of sight of the kids,thank you |
|
|
|
| ▲ | sailfast 2 days ago | parent | prev | next [-] |
| So are people storing these things in a non-HIPAA-compliant way or is this mostly attributable to some other vector that would not have been helped by compliance? What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/ |
| |
| ▲ | nickff 2 days ago | parent | next [-] | | From some quick research, it seems unclear whether dispensaries are covered entities under HIPAA, as they are not reimbursed by Insurers, due to the federal illegality of the drug. https://mjbizdaily.com/do-medical-marijuana-companies-need-t... | | |
| ▲ | sailfast 2 days ago | parent [-] | | Kinda incredible - even if they’re not covered providers they are still requesting medical records! | | |
| ▲ | lmkg 2 days ago | parent | next [-] | | HIPAA is not a privacy law, nor even a healthcare law. It's an insurance law. It does not cover medical records generally. It deals strictly with how doctors bill insurance companies, and mandates security for health information being billed about. For the same reason, health & wellness apps are not generally covered by HIPAA, and in fact quite a few of those exist solely for the purpose of selling medical data to data brokers. Especially ones related to women's health. | |
| ▲ | nickff 2 days ago | parent | prev [-] | | They usually require records for compliance with state regulations (but the state does not require them to follow HIPAA). |
|
| |
| ▲ | time0ut 2 days ago | parent | prev | next [-] | | Medical marijuana dispensaries are not covered entities under HIPAA [0]. The way the law works is weird, but they are not required to comply. All the more reason the federal government needs to catch up with the times on cannabis. [0] https://www.hhs.gov/hipaa/for-professionals/covered-entities... | |
| ▲ | adi4213 2 days ago | parent | prev | next [-] | | I think there are even more basic table stakes that were missed here well prior to conducting any manner of formal compliance auditing - like unauthenticated users accessing this database! | | |
| ▲ | hx8 2 days ago | parent [-] | | Sure, but if it was a HIPPA compliance issue then the legal action path is easier and more lucrative. |
| |
| ▲ | 2 days ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | hacker_yacker 2 days ago | parent | prev | next [-] |
| Nearly a million records, which appear to be linked to a medical-cannabis-card company in Ohio, included Social Security numbers, government IDs, health conditions, and more. |
|
| ▲ | sailfast 2 days ago | parent | prev | next [-] |
| One more thing to note here: anybody in this database that is also part of the OPM leaks or holds a federal job (or is a trucker or other non-drug requirement) will now be compromised and subject to blackmail. If the dots are connected they will lose their jobs. Full stop. |
|
| ▲ | riffic 2 days ago | parent | prev | next [-] |
| my neighborhood weed guy would never betray my trust in this way. |
| |
| ▲ | dolebirchwood 2 days ago | parent | next [-] | | Mine once asked if I'd like a referral to a doctor who was quite liberal in approving people for medical cards in my jurisdiction. I said, "And end up being tracked as a known user in a government database? No thanks." Safer on the streets. | |
| ▲ | grugagag 2 days ago | parent | prev | next [-] | | Your neighborhood weed guy would never have your personal information, perhaps not even your full name, a nickname would suffice. But I get the point and the pun. It’s all a big charade | |
| ▲ | s5300 2 days ago | parent | prev | next [-] | | [dead] | |
| ▲ | jrflowers 2 days ago | parent | prev [-] | | In Ohio the neighborhood weed guy could get hit with a felony and 18 months in jail for a half pound so… like, he might | | |
|
|
| ▲ | nope1000 a day ago | parent | prev | next [-] |
| Publicly accessible, not password protected, not encrypted. That is insanity. |
| |
|
| ▲ | hardwaresofton 2 days ago | parent | prev | next [-] |
| Why is the database not named? |
| |
| ▲ | hobs 2 days ago | parent [-] | | Because they want you to click one more time to the other article that names it. https://www.websiteplanet.com/news/ohio-medical-alliance-bre... | | |
| ▲ | hardwaresofton 2 days ago | parent [-] | | I did click that -- it didn't have it listed either... I think I wasn't clear, I wanted to know which database system people were using (i.e. Postgres, Mongo, etc). You can't even run Postgres in a container without a password these days, how could someone do a whole production deployment without a password. |
|
|
|
| ▲ | neilv 2 days ago | parent | prev | next [-] |
| > As legal cannabis has expanded around the United States for both recreational and medical use, companies have amassed troves of data about customers and their transactions. And that should be treated as a massive liability, where one breach wipes out your company with lawsuits. And the wronged parties can go after the assets of executives and maybe even investors, due to willful criminal negligence. If there's any justice, the "greed is good" techbro industry will finally be told that the sociopathic combination of systemic surveillance/stalking and gross indifference about even basic security is over. |
|
| ▲ | cpursley 2 days ago | parent | prev | next [-] |
| Mongo? |
|
| ▲ | yieldcrv 2 days ago | parent | prev | next [-] |
| free bank accounts for money laundering (new account online, new coinbase account online, stuff new account with cash, transfer to coinbase, transfer onchain, swap to monero, wait, access all with new mac address, new wifi, new browser session, or Tor if the services allow) daily reminder that KYC is a joke, the institutions and enforcement agencies that think it works, don’t know when its not working as long as a real id and ssn and address is used |
| |
| ▲ | aspenmayer 2 days ago | parent [-] | | Now show cashing out. This isn't meant to be a gotcha or a takedown, as I appreciate that you're one of the few HN users knowledgeable about crypto who isn't a shill or dismissive of crypto out of hand. For those who aren't familiar with this industry, there are folks whose job it is to solve these problems with KYC being less effective than it ought to be. Many work in industry as devs, and many do the same as part of the Department of Justice or an affiliated agency or approved third party contractor. There are relevant working groups that bring all relevant parties together for operations. I don't want to assume that you don't know this, but you should not make it out like crime is easy, or that it pays. That said, government salaries are criminally low across the board. I can only assume the private sector of this niche pays better, as it can't very well pay much less than the public sector. Why this is the case is absurd, as it is mostly to do with pay scales and levels, and the near-impossibility of paying workers more, even when it's ready money that is already allocated. | | |
| ▲ | yieldcrv 2 days ago | parent [-] | | You cash out in your personal account by launching a memecoin and buying a tiny bit on launch (or minting extra for yourself) the baked xmr funds are once again swapped into virgin addresses that all buy your memecoin, with your clean funds you sell your position into the liquidity pool of the pumped coin it looks the same as any other launch. are they bots, are they retail degens? who knows, pay capital gains tax and move on. you can modify this by having the virgin addresses with dirty funds launch and pump the coin too, as long as your clean address buys near the beginning and sells into liquidity this can all be scripted and done with unlimited amounts, a “bundler” can manage many virgin addresses with a nice GUI now, specifically to be multiple buyers and sellers of a launch you can unlink your clean funds in less (or equally) restrictive ways for other reasons and privacy, but its clean enough to pay taxes on and be free and clear | | |
| ▲ | aspenmayer 2 days ago | parent [-] | | That isn’t cash, that’s just more crypto, or am I reading you wrong? The liquidity pool will get you back into mainline cryptos, but then what? | | |
| ▲ | eszed 2 days ago | parent | next [-] | | Sell your mainline crypto for money-money, and declare it on your taxes? Isn't that straightforward to do, nowadays? Not trying to be snarky: I've never been involved in crypto, but I thought I understood it in principle. Sidenote: The GP's point was an Aha! moment for me about memecoins. I never got why anyone ever bought into these at all, but money laundering makes perfect sense. | | |
| ▲ | yieldcrv 2 days ago | parent [-] | | you understand it but one thing you’re missing is that people dont know which ones will be money laundered - or attract gobs of capital for unknown reasons - and go up in price wildly. so people play at all levels depending on their risk appetite since the profits from a coin being pumped are so wild. these things launch with a marketcap in the low thousands, and run to marketcaps in the millions and billions for tens of thousands of % gains. its what retail has always wanted from the IPO market, but instead of waiting decades for every rule to slowly change with no sign of the private sector using those rules, they have the crypto ecosystem now and its been a hit. as far as financial market innovation goes, the liquidity pool code is pretty novel and an active area of research and competition, a candidate of something to graduate to - or intertwine with - the traditional markets | | |
| ▲ | eszed 2 days ago | parent | next [-] | | Ah! It's penny stocks, then. My grandfather lost a ton of money "investing" in those, over the years - but his occasional hits, generally when he happened to piggyback a pump scheme (a gold mine scam in Papua New Guinea particularly sticks out), more than made up for it, at least to him. | | |
| ▲ | yieldcrv a day ago | parent [-] | | Yep In fact its more like every unincorporated idea and general partnership and incorporated business all thrusted into visibility and publicly traded status all at once, right along side private equity backed corporations and ones that have actual institutional underwriters and IPO’d, issued and trading 24/7/365 with no circuit breakers or halts of any kind! If the respected traditional market didnt have its layers
of filtering via syndicates and the exchanges, it would look just as scammy you can filter for stronger crypto projects, more consumers and investors simply need to, and crypto skeptics need to become more discerning to levy a more equivalent standard |
| |
| ▲ | aspenmayer 2 days ago | parent | prev [-] | | I mean, I kind of get it, I made a small amount from the Uniswap airdrop, and that was before pump.fun existed or whatever the hip thing is this cycle. I don’t think folks can usually count on airdrops but if you are making the crypto then you can do the math and price in an upside. I don’t see anything shady there per se as long as the tokenomics are solid. It’s the same as any crypto offer, buyer (and seller) beware. I appreciate your explanation for me and for everyone else. I’m glad that crypto is being legitimized. It’s a cool technology and I think it should be profitable because it’s a technology whose time has come. I think its usage for money laundering is unfortunate, but ledgers offer introspection that is an opportunity for enforcement. I think it’s just another cat and mouse game, same as it always was. Most folks aren’t doing anything underhanded and just want to use the technology to do cool things. The law is catching up, but it had to be dragged to the table. This should have happened years ago in my opinion. | | |
| ▲ | yieldcrv 2 days ago | parent [-] | | No rebuttals there I think the previously hostile regulatory environment has caused a lot of innovation, that is more resilient and useful for capital formation, new sectors, industries. the cryptosecurities market in 2012 was really ghetto, the ICO market in 2017 was baaaad but working around securities regulations since registration+liquidity was impossible. 2024’s pump.fun should be for entertainment only, but it does standardize the token issuances in ways that werent there before the bad stuff should be ignored by consumers or cleaned up but at the end of the day it will always be up to consumers and investors to be more discerning, for critics to criticize bad organizations individually instead of indict all of crypto when something goes wrong. the lack of discernment allows for most bad actors to act with impunity, and encourages the ones that do eventually face consequence | | |
| ▲ | aspenmayer 2 days ago | parent [-] | | I didn’t mean to conflate what Uniswap does with what pump.fun does, but I understand that Uniswap is a decentralized exchange whereas pump.fun is a launchpad, which is a basically crypto contract templating? I don’t know how to explain it abstractly but I think the liquidity pools that Uniswap and others pioneered has created a really neat community. Like the thnickles guy, for example. Good old weird internet salt of the earth folks. I don’t even know if he’s associated with crypto, but the more people doing neat things as investments, the weirder the internet gets, and I’m more or less okay with that within the bounds of reason and complying with applicable laws and regulations. | | |
| ▲ | yieldcrv a day ago | parent [-] | | All good, I wouldnt say conflating, they both use bonding curves that Uniswap pioneered For the uninitiated: Uniswap’s liquidity pool concept changed crypto forever and there are infinite code branches from that at this point. Pump.fun is a homegrown version of the same blueprint, with scripted automation and gamification built on top of it. What used to be separate processes and cost teams tens of thousands of dollars to code and review (creating a token, getting it audited), is now rolled into a click of a button for pennies free. Pump fun creates your token, fills it in a liquidity pool, initiates the initial purchases for price discovery, and locks the dev into a game where the it stays in the pump fun smart contract until the token hits a certain marketcap, then it transfers the liquidity pool (which is a bearer asset itself) into a more open trading smart contract called Raydium. This is an important goal because people provide liquidity with their own capital to raydium liquidity pools, increasing the collective respect and liquidity depth. These marker makers earn basis points from trades through the liquidity pool. (I so wish this was available on the stock market, coming soon I hope). Pumpfun keeps all their trade volume earnings to themselves. Look at how much pump fun has earned over the past year. Launchpads are lucrative. | | |
| ▲ | aspenmayer a day ago | parent [-] | | Have you followed what Robinhood is doing? They were tokenizing private shares of OpenAI and others, way before most private investors would have access to these shares. That allowed Robinhood to also fractionalize them. https://www.cnbc.com/2025/07/02/openai-robinhood-tokens.html They also are doing a lot of stuff with prediction markets, which is pretty interesting even if I think the issue there is one of deferring trust to an oracle, but that’s kind of the gambit with most gambles, so it sort of comes with the territory. I think there have been some bad calls by oracles there, and I think there’s a brand risk to Robinhood if RH users identify strongly with the RH brand when placing prediction wagers even when they are outsourced to a third party. https://www.theblock.co/post/367417/robinhood-launching-spor... | | |
| ▲ | yieldcrv a day ago | parent [-] | | I have been following, Robinhood is really leveraging the technology! There’s some open questions on what the tokenized shares are exactly, like shares of a special purpose vehicle that owns the private shares, or something else A step in the right direction, more competition needed, liquidity pooling this way will be so good |
|
|
|
|
|
|
| |
| ▲ | 2 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | yieldcrv 2 days ago | parent | prev [-] | | the liquidity pool will get you back into mainline cryptos, you transfer that back to your personal coinbase or any crypto exchange account, sell for your nation’s currency, transfer to your bank account. can take a few minutes from liquidity pool to your bank account, to a few hours. several days in the worst case. | | |
| ▲ | aspenmayer 2 days ago | parent [-] | | This just in: cashing out is out, direct investment is in. Bullish's $1.15B in IPO Proceeds Entirely in Stablecoins in Public Market First - https://news.ycombinator.com/item?id=44957496 | | |
| ▲ | yieldcrv 2 days ago | parent [-] | | yep. one of the understated and more abstract realities of crypto money laundering, as well as licit crypto profits and revenues, is that many crypto natives don’t want their nation’s currency or any fiat. its been like this for over a decade. you can get out of volatile coins and into stablecoin onchain. you can buy goods, services, and investments whether with the volatile coins or with stablecoins. stablecoins also have a redemption mechanism, so when you move them to an exchange, the conversion isn’t “selling for usd” (which has a fee) its just redeeming them for free. Coinbase can take USDC straight to your bank account for example, removing one step. when I was running a small hedge fund half a decade ago, our third party fund administrator could take investor funds in crypto for us that would be accounted for on our books in usd for further investment. a lot of crypto ETFs are taking funds in crypto right now too, there is a tax advantage that Bloomberg wrote about a month or two ago |
|
|
|
|
|
|
|
| ▲ | s5300 2 days ago | parent | prev | next [-] |
| [dead] |
|
| ▲ | sublinear 2 days ago | parent | prev [-] |
| What if like... man... what if it was all vibe coded? huhuhuh! |
