The 2025 Ohio Marijuana Card breach — nearly one million records left unencrypted on the open internet — wasn’t an anomaly. It was the latest and largest chapter in a documented history of catastrophic cannabis data security failures stretching back nearly a decade. For operators who think a breach can’t happen to them, this timeline is a direct rebuttal.

Why Cannabis Is a Permanent Target

Before examining the individual incidents, it’s critical to understand why the cannabis industry has attracted such a concentrated pattern of data breaches. The answer lies in three converging factors: the extreme sensitivity of the data collected, the industry’s historically underfunded security infrastructure, and its rapid digital transformation without equivalent investment in protection.

Unlike a retail clothing store whose breach exposes purchasing preferences, a cannabis dispensary collects data that can ruin lives. Medical cannabis operators collect government-issued IDs, Social Security numbers, qualifying diagnoses, mental health evaluations, physician certifications, and precise medication records — information that overlaps directly with HIPAA-protected data categories. Adult-use dispensaries collect transaction histories, geolocation data, biometric identifiers, and government ID documents that enable sophisticated identity theft. The data is extraordinarily valuable to criminal actors, and the industry collecting it has, in many cases, treated its security obligations as an afterthought.

The result is a breach timeline that should alarm every operator in the space — and every regulator who oversees them.

2016–2018: MJ Freeway — The First Industry-Wide Catastrophe

The cannabis industry’s data breach era didn’t start with a single dramatic moment. It began with a prolonged, multi-year siege against MJ Freeway, one of the dominant seed-to-sale tracking software providers in the country.​

Between November 2016 and 2018, MJ Freeway suffered a series of escalating attacks — not just data theft, but deliberate system destruction and source code compromise. The scope was staggering: over 1,000 dispensary clients across 23 states were affected. The attackers didn’t just steal customer records — they attacked the operational backbone of the businesses relying on MJ Freeway’s platform, in some cases destroying data entirely and forcing dispensaries to revert to pen-and-paper operations.​

What made the MJ Freeway attacks uniquely damaging was their state contract exposure. Pennsylvania and Washington were among the states that had contracted MJ Freeway for their regulatory tracking systems — meaning a private software company’s security failure directly compromised state government compliance infrastructure. For an industry still fighting to establish legitimacy, having its core regulatory system repeatedly breached was a reputational and operational blow that echoed for years.​

The lesson written in 2016 that the industry still hasn’t fully learned: When you are the shared infrastructure for an entire supply chain, your security failures become everyone’s security failures. Vendor concentration risk in cannabis remains a critical unaddressed vulnerability in 2026.

2019–2020: THSuite — The Unsecured Cloud Bucket That Exposed Three States

On Christmas Eve 2019, security researchers at vpnMentor discovered something that should have been impossible: an Amazon S3 storage bucket belonging to THSuite, a point-of-sale software company serving cannabis dispensaries, was completely open to the public internet.​

The exposed database was so large that researchers couldn’t individually examine all records. What they could confirm was damning: over 85,000 files and at least 30,000 sensitive records containing personally identifiable information were freely accessible to anyone who knew where to look. The breach affected at least three confirmed dispensaries across three states: AmediCanna Dispensary in Maryland, Bloom Medicinals in Ohio, and Colorado Grow Company in Colorado.

The data exposed wasn’t just purchase receipts. It included:

  • Full names, phone numbers, and dates of birth
  • Medical patient ID numbers and cannabis card information
  • Scanned government-issued photo IDs and signatures
  • Gram purchase limits and complete dispensary transaction records
  • Employee payroll records and hours worked
  • Monthly business compliance reports and inventory data​

What made the THSuite breach particularly inexcusable was the response — or lack of one. THSuite never responded to the researchers’ disclosure notifications. The database was only secured after vpnMentor contacted Amazon directly to force the closure. The company’s complete silence in the face of a known exposure of tens of thousands of patients’ medical records remains one of the most egregious examples of vendor negligence in cannabis breach history.​

The lesson: Cloud storage misconfigurations — especially unprotected S3 buckets — remain one of the most common and entirely preventable breach vectors across all industries. The technology is simple. The failure is cultural: operators and vendors treating security as someone else’s responsibility until it becomes everyone’s emergency.

2024: STIIIZY and the Everest Ransomware Group — A New Threat Level

By late 2024, the nature of the threat to cannabis operators had fundamentally evolved. The breaches of the early years were largely the result of negligence — unsecured databases, misconfigured cloud storage, poor vendor oversight. The STIIIZY breach was something different: a targeted, organized ransomware attack by a sophisticated international cybercrime group.​

On November 20, 2024, STIIIZY — one of California’s largest and most recognized cannabis brands — disclosed that its point-of-sale processing vendor had been compromised by the Everest Ransomware Group, a well-documented criminal organization with a history of targeting high-value commercial sectors. The attackers had access to customer data for approximately one month before detection, from October 10 to November 10, 2024.

The scope of the exposure was devastating. 380,000 customers had the following data compromised:​

  • Full names, addresses, and dates of birth
  • Driver’s license numbers and passport numbers
  • Photographs and signatures from government IDs
  • Medical cannabis card details
  • Complete transaction histories across four California retail locations

Everest initially demanded a ransom and set a December 2024 deadline. When negotiations apparently failed, the group published the stolen data on its dark web leak site, making it permanently accessible to any criminal actor with the technical ability to find it.​

The STIIIZY breach carried a warning that the industry has not yet adequately absorbed: within one week of STIIIZY’s disclosure, a second cannabis operator appeared on Everest’s dark web victim page — an operator that had been a client of the same compromised vendor. This was not random. The Everest group had identified cannabis’s shared vendor infrastructure as a concentrated attack surface. One vendor compromise can yield multiple cannabis business victims simultaneously.​

The lesson: The era of opportunistic attacks against negligent cannabis operators has given way to targeted, professional ransomware campaigns. The Everest group explicitly chose cannabis as a target sector. Treating your POS vendor or payment processor as a trusted partner without mandatory security standards and contractual incident response obligations is no longer defensible.

2025: Ohio Marijuana Card — 957,434 Records Left Wide Open

The Ohio Marijuana Card breach is the defining cannabis security incident of 2025 — and arguably the most instructive breach in the industry’s history, precisely because of how simple and entirely preventable it was.

On July 14, 2025, cybersecurity researcher Jeremiah Fowler discovered two internal databases belonging to Ohio Medical Alliance LLC (operating as Ohio Marijuana Card), a telemedicine company helping patients obtain physician-certified medical cannabis cards across Ohio, Arkansas, Kentucky, Louisiana, Virginia, and West Virginia. The databases were completely unprotected — no password, no encryption, no access controls of any kind.

The numbers were staggering: 957,434 patient records totaling 323 gigabytes of unencrypted, publicly accessible medical data. Files were organized in folders labeled by patient name, making individual records trivially easy to search and extract. What those folders contained was the most sensitive information a person can share in the context of healthcare:

  • Full legal names and Social Security numbers
  • Dates of birth and home addresses
  • High-resolution driver’s license images
  • Medical intake forms and physician certifications
  • Mental health evaluations
  • Internal staff notes and comments
  • Offender release cards for patients reentering society after incarceration
  • Over 210,000 email addresses linked to patients, employees, and business associates

Fowler reported the discovery to Ohio Marijuana Card on July 14, 2025. The database was secured by July 15 — but only after an unknown period of public exposure. The critical unanswered question: how long had those 957,434 records been sitting unsecured, and who else had already accessed and downloaded them?​

The legal fallout was immediate and multi-jurisdictional. By late August and early September 2025, at least six separate proposed federal class action lawsuits had been filed in the Northern District of Ohio. The cases were consolidated by an Ohio federal judge in November 2025 into a single coordinated proceeding.

The lawsuits allege:​

  • Failure to safeguard sensitive medical data in violation of consumer protection laws and duties of care
  • No patient notification — Ohio Marijuana Card allegedly failed to notify any impacted patient about the exposure
  • Breach of implied contract — patients paid for services with a reasonable expectation that a portion of those payments funded basic data security
  • Unjust enrichment — the company retained payments that should have funded security measures

Simultaneously, the Ohio Division of Cannabis Control opened a formal investigation after a complaint was filed against Ohio Medical Alliance. The State Medical Board of Ohio launched its own separate investigation. In a single breach event, the company found itself defending against consolidated federal litigation, state cannabis regulatory action, and state medical board proceedings concurrently.​

The Harm Beyond Identity Theft

The Ohio breach lawsuits made explicit an argument that the cannabis industry needs to internalize: the harm from a cannabis medical data breach is categorically different from the harm caused by a retail data breach.​

When a clothing retailer suffers a breach, victims face identity theft and credit fraud. When a medical cannabis operator suffers a breach, the scope of harm extends dramatically further:​

  • Insurance discrimination — exposure of cannabis use and qualifying diagnoses can affect life, health, and disability insurance premiums and eligibility
  • Employment consequences — many employers still maintain zero-tolerance drug policies, and documented medical cannabis use in the wrong hands can end careers
  • Immigration consequences — for non-citizens, documented cannabis use — even for legally obtained medical marijuana — can have catastrophic immigration implications
  • Federal law enforcement exposure — cannabis remains federally controlled; exposure of documented use creates complications in any federal context
  • Stigma and social harm — mental health diagnoses, anxiety disorders, and PTSD records exposed in the Ohio breach carry significant social stigma if disclosed

Cybersecurity researcher Fowler explicitly noted that insurance companies pay for data like what was exposed in the Ohio breach — data that could directly and materially impact insurance premiums for nearly one million people.​

The Pattern Across Every Breach: Five Systemic Failures

Examining the full arc of cannabis data breaches — from MJ Freeway in 2016 to Ohio Marijuana Card in 2025 — reveals not a series of isolated incidents but a consistent set of systemic failures that repeat across every case:

1. Treating vendor security as someone else’s problem MJ Freeway, THSuite, and the STIIIZY POS vendor compromise are all variations on the same failure: cannabis operators delegating critical data security to software vendors without contractual security requirements, ongoing audit rights, or incident response obligations. Under the law, your vendor’s breach is your breach.

2. Cloud misconfiguration as standard operating procedure The THSuite S3 bucket and Ohio Marijuana Card’s unencrypted open database are separated by five years, but they represent identical failures: sensitive data stored in cloud environments without access controls. This is a solved problem with inexpensive solutions. It continues to occur because operators haven’t made it a priority.

3. No notification protocols In both the THSuite and Ohio Marijuana Card cases, operators failed to notify affected patients in any timely fashion. Incident response — including clear, documented notification procedures — is not just ethically required; it is legally mandated under state breach notification laws, with timelines as short as 30 days.

4. Healthcare-sensitive data treated like retail data Every cannabis breach reveals operators who collected medical-grade sensitive information — diagnoses, physician certifications, SSNs, mental health evaluations — and stored it with the same security practices appropriate for a loyalty point balance. Medical cannabis data demands medical-grade security infrastructure.

5. No regular security testing Not one of the major cannabis breaches on record was discovered through internal security monitoring or proactive penetration testing. Every single one was discovered by external security researchers, journalists, or criminal actors. If you are not proactively testing your own security, you will not know you’ve been breached until someone else tells you.​

What 2026 Demands

The Ohio breach triggered something beyond class action litigation — it triggered a regulatory reckoning. With Schedule III reclassification pulling cannabis operators into federal security frameworks, and twenty state comprehensive privacy laws classifying medical cannabis data as sensitive personal information requiring heightened consent, the regulatory and legal environment now mirrors the severity of the threat.

The operators who avoid being the next case study in this timeline are the ones who treat security as a core business function rather than an IT line item. That means:

  • Mandatory encryption for all databases containing patient or customer data — the Ohio breach was 323 gigabytes of unencrypted, passwordless data sitting in public
  • Third-party penetration testing at least annually, executed before regulators or criminals find your vulnerabilities first
  • Vendor security assessments with contractual security obligations, audit rights, and breach notification timelines built into every vendor agreement
  • Documented incident response plans that include breach notification procedures, legal escalation contacts, and multi-state notification timeline tracking
  • Zero-trust access architecture so that a compromised vendor credential cannot access your entire customer database in a single session

The cannabis industry’s breach history is a roadmap of exactly what not to do. The question for every operator in 2026 is whether they’re reading the map.

cannasecure.tech provides cannabis-specific cybersecurity assessments, penetration testing, incident response planning, and compliance programs built for the unique threat landscape of the cannabis industry. The next breach won’t wait for you to be ready. Contact us today for a security gap assessment.