Open the Floodgates: Data Breach Affects Marijuana Dispensaries

A massive data breach from cannabis software provider THSuite has exposed the private information of approximately 30,000 medical and recreational cannabis users.  The breach affected dispensaries belonging to Amedicanna, Bloom Medicinals, and Colorado Grow Company.

THSuite is a provider of point-of-sale and inventory management software targeted toward the marijuana industry.  On December 24, 2019, THSuite experienced a data breach which led to customers’ private data being dumped online onto a freely accessible unsecured and unencrypted cloud database.  The compromised data included customers’ full names, phone numbers, dates of births, medical ID numbers, signatures, and products purchased. The breach was not remedied until January 14, 2020.

The data breach compromised about 85,000 files from the affected dispensaries.  However, additional forensic examination of THSuite’s internal systems has revealed that data collected by THSuite at other dispensaries it services may also be at risk.

The involuntary release of patient and consumer information collected by THSuite raises serious privacy and regulatory concerns.  While marijuana is illegal federally, the compromised data contains personally identifying health information and may be subject to the purview of the Health Insurance Portability and Accountability Act (“HIPPA”).  THSuite is also subject to additional data privacy and consumer protection laws in each of the the states in which it operates.

The data breach raises significant concerns regarding information privacy in the marijuana industry.  Businesses engaging in the collection, storage, and generation of personal information and protected health information for marijuana patients and consumers should establish strict internal controls to ensure compliance with applicable state and federal laws.

* Tanner Lawrence contributed to this post.