19 July 2016
We saw this report in the OC Newspaper.com and wondered why this wasn’t a bigger story in the world of legal cannabis media. Especially as it’s what we used to call a schoolboy error in the UK..
July 13, 2016 4:35 –
Oregon Health Authority’s Oregon Medical Marijuana Program (OMMP) made a major clerical error on July 7 when writing to medical marijuana growers to inform them that the deadline for reporting had been extended. They used “CC” instead of “BCC” when sending one batch of emails, which exposed the email addresses of hundreds of currently registered growers to other growers.
In all, it appears that over 550 emails were included in the message, which was sent from an Analysis Unit Manager with the OMMP.
The email read:
Subject: OMMP June Reporting Deadline Extended
The Oregon Medical Marijuana Program is issuing the attached Informational Bulletin to notify growers, processors and dispensaries of its decision to extend the deadline for June 2016, reporting. The new deadline date for June 2016, reporting is July 30, 2016.
Please see the attached Informational Bulletin for details.
Oregon Medical Marijuana Program
Public Health Division
Here is the Informational Bulletin attached to the email:
Oregon Medical Marijuana Program Replies
Andre Ourso, the OMMP Manager, explained to Oregon Cannabis Connection (OCC) in an email: “In a July 7, 2016, email, OMMP registered growers received an informational bulletin that was erroneously but inadvertently sent to several hundred email addresses of OMMP growers while copying other registrant’s email addresses on the email,”. OMMP would like to apologize for the inadvertent error of sending the informational bulletin out and not ‘blind carbon copying’ the recipients.
“No confidential information or information identifying registered medical marijuana grow sites was contained in the email message,” he explained in bold type. “OMMP has asked recipients to disregard the message and refrain from replying all or replying to any recipients that were listed in the email.”
The breach was a big mistake, and they seem to understand there could be blowback.
“Once the error was realized the program attempted to recall the message,” Ourso explained further. “In addition, the program self-reported the incident to the OHA Security and Privacy Office and discussed the incident with DOJ.”
Andre Ourso, MPH, JD. Manager of OMMP. Image Fl. Board of Medicine.
Some Growers Upset
Many Oregon growers are very private about their activities. They do not want their personal information available, including email addresses, which can sometimes be tracked back to other information. With 45,000 people registered as growers, they only exposed information on about 1% of participants.
One grower replied to the message, and all the recipients, with disdain:
Subject: Re: OMMP June Reporting Deadline Extended
Well thank you for sharing my email address with every smoker in
Oregon. Your new system seems to be a bit of a clusterfuck and is
certainly a waste of all of our time. Please remove me from your email
You might consider removing these good people listed below as well
before the spammers get a hold of our personal data as you clearly are
not protecting our personal information as a state agency should. Ever
heard of a ‘lil thing called HIPAA?
You are attempting to drown us good Oregonian citizens with this
onerous and ponderous regulation clearly intended to drive out the
small time grower and pave the way for the corporate growers we all
know are coming. The absolute LEAST you can do after forcing us into
this horrible and inefficient system is to protect the personal
information you demand we share in order to continue to use the life
saving medicine we all rely on.
In closing your over regulation is bullshit and the least you can do
is follow your own fucking rules.
The email was sent by “Bobbi,” a longtime medical marijuana patient and grower.
“It angers me because all over America more and more companies and government bureaucrats are demanding more of our personal information while taking next to zero steps to safeguard that information,” Bobbi told OCC.
“Here is the latest evidence that we have been sold out by the very agency tasked with protecting us,” Bobbi explained. “The first of many pot-related spam messages we will all receive now thanks to the over regulation of the medical marijuana industry coupled with the incompetence of their people.”
Unfortunately, Bobbi believes that she has experienced spam from the breach already, from a nursery company that, “Provides wholesale bulk cannabis, teens, clones, and mothers.”
HIPAA and what is to come
Some may question whether the federal HIPAA (Health Insurance Portability and Accountability Act) statutes would apply, since no actual health information was released. Mr. Ourso of OMMP indicated they were not concerned, and also said the OMMP program isn’t governed by HIPAA or HITECH (The Health Information Technology for Economic and Clinical Health Act), HIPAA’s sister law, which was passed in 2009.
“HIPAA and HITECH do not apply to the OMMP program,” Ourso explained to OCC in the email. “OMMP does not utilize federal funds or is connected to any federally funded healthcare program… state privacy laws govern the OMMP program.”
We asked how this happened and what the department would be doing in the future to prevent such a mistake, and Ourso explained, “We are continuously looking for efficient ways of communicating with over 45,000 registered medical marijuana growers while maintaining confidentiality.”
“OMMP will not be emailing registrants in this manner in the future,” he told OCC. “Registrants that want to stay informed about the program should visit our newly designed website at healthoregon.org/ommp.”
There, anyone can sign up for their email subscription service by clicking on the link: Subscribe to receive e-mail updates related to OMMP. Their subscription service is separate from the online registration system.