Nevada took its medical marijuana program database off the internet this week after the Social Security numbers and other sensitive information involving thousands of dispensary applicants were inadvertently leaked online.
A vulnerability affecting a web portal used by the state’s medical weed program resulted in more than 11,700 dispensary applications being publicly accessible prior to the database being disabled this week, security researcher Justin Schafer said Wednesday.
Mr. Schafer said he discovered the bug after a simple Google search Tuesday evening resulted in him stumbling upon a trove of unsecured data maintained by the state’s Medical Marijuana Program.
Each of the over 11,700 exposed files contains the names, phone numbers, home addresses, birth dates, driver’s license numbers and complete Social Security numbers of marijuana dispensary applicants according to the Daily Dot, a tech website that confirmed the researcher’s discovery this week upon recreating his Google search.
The Nevada Division of Public and Behavioral Health (DPBH), the state office which operates the portal, said in a statement Wednesday it was investigating a “cyberattack” on its Medical Marijuana Program.
“The entire portal has been taken down,” Cody Phinney, DPBH administrator, said in a statement.
“To prevent further breaches, the Division’s IT staff are working with state IT staff, investigating the breach. We appreciate everyone’s patience during this difficult time. As more information is known, the public will be notified,” he said.
It was not immediately clear how long the applicants’ data had been publicly available prior to being discovered this week. The DPBH had shutdown the portal earlier this month, however, after the state discovered an unspecified “problem” affecting the portal, the Las Vegas Review-Journal reported previously. The DPBH said only that it had shut down the portal on Dec. 8 after finding “some vulnerabilities” in the system, and brought it back online one week later.
State officials have contacted law enforcement investigators in addition to three major credit reporting agencies with respect to the data breach, according to the agency. Victims affected by the breach will be notified within the next few days as required by state law, CBS reported.
Voters in Nevada authorized the state to establish a medical marijuana program in 2000, and today the state boasts roughly 20,773 patients with weed prescriptions, according to NORML.
More recently, Nevadans voted last month in favor of legalizing marijuana for recreational purposes. When the law takes effect Jan. 1, 2017, adults 21 and older will legally be able to to possess up to 1 ounce of cannabis or one-eighth ounce of cannabis concentrate for non-medical reasons.