Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 957,434 records. The database belongs to an Ohio-based organization that helps individuals obtain physician‑certified medical marijuana cards. The database held PII, drivers licenses, medical records, documents containing SSNs, and other internal potentially sensitive information.
So, the absolute bare minimum was not followed. Just wide open database containing medical information.
More evidence cannabis needs to be recreational. We can let people use their FSA money for it and/or give a steep discount to people who "really" need it, like cancer patients... but I think a lot of people who bounce between
Anyways, there are a LOT of little fly by night outfits that "help" you get a medical card in many states. It's a joke, and all it does is empower the same type of person who used to be a pill doctor to rent seek, and it's not at all a surprise one had poor data practices.
This seems totally unrelated to whether cannabis should be recreational. If my insurance company leaked my PHI, that would certainly not be evidence that any of my prescriptions should be OTC.
I could get behind this so long as there’s still limits on your person and in public places. Colorado has a great system. However, legalization has only created weed monopolies by abuse of the law language. Essentially making it illegal for smaller shops to compete.
Those same people are the ones contracting out these systems with local governments.
ya, here in Canada(caniba), nobody much cared what someone smoked or why, as long as they did it down wind and out of sight since forever, and I have heard irrate little ones admonishing adults "your not supposed to do that around us!" and grown adults eye rolling and moving off....now there are certain parks for the weed heads, and various semi legal stores and some government weed outlets, but as it's not called weed for nothing, millions grow the little they want for personal use, and for people wanting it for medical reasons, there is a vast network of people helping people.
We went through the whole "certified medical canabis" thing, and it collapsed under overwhelming demand, and the impossibility of scaling the management, where the police and courts flat out refused to try and untangle the "legitimate" and "unligitimate", and we are back to what it was in the past with an informal understanding of ....go down wind and out of sight of the kids,thank you
So are people storing these things in a non-HIPAA-compliant way or is this mostly attributable to some other vector that would not have been helped by compliance?
What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/
Medical marijuana dispensaries are not covered entities under HIPAA [0]. The way the law works is weird, but they are not required to comply. All the more reason the federal government needs to catch up with the times on cannabis.
I think there are even more basic table stakes that were missed here well prior to conducting any manner of formal compliance auditing - like unauthenticated users accessing this database!
Nearly a million records, which appear to be linked to a medical-cannabis-card company in Ohio, included Social Security numbers, government IDs, health conditions, and more.
Mine once asked if I'd like a referral to a doctor who was quite liberal in approving people for medical cards in my jurisdiction. I said, "And end up being tracked as a known user in a government database? No thanks." Safer on the streets.
Your neighborhood weed guy would never have your personal information, perhaps not even your full name, a nickname would suffice. But I get the point and the pun. It’s all a big charade
One more thing to note here: anybody in this database that is also part of the OPM leaks or holds a federal job (or is a trucker or other non-drug requirement) will now be compromised and subject to blackmail.
If the dots are connected they will lose their jobs. Full stop.
(new account online, new coinbase account online, stuff new account with cash, transfer to coinbase, transfer onchain, swap to monero, wait, access all with new mac address, new wifi, new browser session, or Tor if the services allow)
daily reminder that KYC is a joke, the institutions and enforcement agencies that think it works, don’t know when its not working as long as a real id and ssn and address is used
This isn't meant to be a gotcha or a takedown, as I appreciate that you're one of the few HN users knowledgeable about crypto who isn't a shill or dismissive of crypto out of hand.
For those who aren't familiar with this industry, there are folks whose job it is to solve these problems with KYC being less effective than it ought to be. Many work in industry as devs, and many do the same as part of the Department of Justice or an affiliated agency or approved third party contractor. There are relevant working groups that bring all relevant parties together for operations. I don't want to assume that you don't know this, but you should not make it out like crime is easy, or that it pays. That said, government salaries are criminally low across the board. I can only assume the private sector of this niche pays better, as it can't very well pay much less than the public sector. Why this is the case is absurd, as it is mostly to do with pay scales and levels, and the near-impossibility of paying workers more, even when it's ready money that is already allocated.
You cash out in your personal account by launching a memecoin and buying a tiny bit on launch (or minting extra for yourself)
the baked xmr funds are once again swapped into virgin addresses that all buy your memecoin, with your clean funds you sell your position into the liquidity pool of the pumped coin
it looks the same as any other launch. are they bots, are they retail degens? who knows, pay capital gains tax and move on.
you can modify this by having the virgin addresses with dirty funds launch and pump the coin too, as long as your clean address buys near the beginning and sells into liquidity
this can all be scripted and done with unlimited amounts, a “bundler” can manage many virgin addresses with a nice GUI now, specifically to be multiple buyers and sellers of a launch
you can unlink your clean funds in less (or equally) restrictive ways for other reasons and privacy, but its clean enough to pay taxes on and be free and clear
Readit News
Anyways, there are a LOT of little fly by night outfits that "help" you get a medical card in many states. It's a joke, and all it does is empower the same type of person who used to be a pill doctor to rent seek, and it's not at all a surprise one had poor data practices.
Those same people are the ones contracting out these systems with local governments.
What a terrible leak - med records and marijuana use, especially in some circles - could be very useful blackmail material. :/
[0] https://www.hhs.gov/hipaa/for-professionals/covered-entities...
Deleted Comment
Dead Comment
If the dots are connected they will lose their jobs. Full stop.
(new account online, new coinbase account online, stuff new account with cash, transfer to coinbase, transfer onchain, swap to monero, wait, access all with new mac address, new wifi, new browser session, or Tor if the services allow)
daily reminder that KYC is a joke, the institutions and enforcement agencies that think it works, don’t know when its not working as long as a real id and ssn and address is used
This isn't meant to be a gotcha or a takedown, as I appreciate that you're one of the few HN users knowledgeable about crypto who isn't a shill or dismissive of crypto out of hand.
For those who aren't familiar with this industry, there are folks whose job it is to solve these problems with KYC being less effective than it ought to be. Many work in industry as devs, and many do the same as part of the Department of Justice or an affiliated agency or approved third party contractor. There are relevant working groups that bring all relevant parties together for operations. I don't want to assume that you don't know this, but you should not make it out like crime is easy, or that it pays. That said, government salaries are criminally low across the board. I can only assume the private sector of this niche pays better, as it can't very well pay much less than the public sector. Why this is the case is absurd, as it is mostly to do with pay scales and levels, and the near-impossibility of paying workers more, even when it's ready money that is already allocated.
the baked xmr funds are once again swapped into virgin addresses that all buy your memecoin, with your clean funds you sell your position into the liquidity pool of the pumped coin
it looks the same as any other launch. are they bots, are they retail degens? who knows, pay capital gains tax and move on.
you can modify this by having the virgin addresses with dirty funds launch and pump the coin too, as long as your clean address buys near the beginning and sells into liquidity
this can all be scripted and done with unlimited amounts, a “bundler” can manage many virgin addresses with a nice GUI now, specifically to be multiple buyers and sellers of a launch
you can unlink your clean funds in less (or equally) restrictive ways for other reasons and privacy, but its clean enough to pay taxes on and be free and clear