Ohio Marijuana Card Leaks Patient Data: A $200 Gatekeeper With a Dropbox Addiction

Ohio Marijuana Card, the state’s most prolific medical cannabis referral service, just proved what every patient has suspected for years: the people charging you $200 for a rubber-stamped doctor’s note can’t be trusted with a fucking spreadsheet.

The company — a subsidiary of Green Health Docs, led by CEO Joshua L. Erceg — left a massive database of sensitive patient records unsecured online. We’re talking Social Security numbers, addresses, medical diagnoses, copies of IDs, and physicians’ notes. No password. No encryption. No firewall. Just naked personal data hanging out on the open web like some mid-level dealer’s Snapchat menu.

“Security” by File Name

One whistleblower told Boof the company’s cybersecurity strategy looked like this:

• patients-FINAL-THIS-ONE-FOR-REAL.zip

• diagnoses_masterlist2_USE_THIS_TRUSTME.xls

• copy_of_copy_of_copy_patient_data_2024.xlsx

• fart.zip
  

“The database was literally indexable by Google,” the source said. “You could stumble on it while searching for vape tricks.”

This wasn’t some advanced hack. It was closer to walking into a dispensary’s back room and finding a banker’s box labeled “Do Not Steal — Important Shit Inside.”

The Attempted Monetization

Rather than fix the mess, insiders say leadership actually debated selling the data. A leaked internal email reviewed by Boof shows a Green Health Docs exec floating the idea of pitching the records to a West Coast edibles brand “for targeted ad placements.”

When that didn’t work, the CFO allegedly tried to upload the files to Gmail but kept crashing Outlook. The memo’s final line:

“If we can’t monetize, let’s spin up a sub-brand: HIPAA Kush™ — transparency patients can feel.”

The Human Cost

Ohio Marijuana Card claims to have processed over 182,000 patients. That’s 182,000 people whose PTSD diagnoses, cancer treatments, and therapy notes were tossed into a digital dumpster fire.

Take Angela, 47, who told Boof she discovered her PTSD documentation was exposed in the same public folder as someone else’s Cheesecake Factory resume. “I paid them to help me,” she said. “Turns out I was basically Venmo-ing my medical history to a Craigslist scammer with a stethoscope.”

Regulators Shrug

The Ohio Board of Pharmacy, responsible for running the state’s medical cannabis registry, has so far issued no fine, no sanction, no public comment. The State Medical Board of Ohio, which certifies the rubber-stamp doctors feeding Ohio Marijuana Card’s pipeline, has been equally quiet.

“They won’t touch it,” one compliance officer admitted. “If regulators had to admit how sloppy this whole program is, the entire patient registry would collapse. Easier to pretend nothing happened.”

The Business Model of Rot

The scandal highlights the entire medical card racket: high-volume “tele-doc” companies like Green Health Docs funnel patients into 15-minute Zoom calls, churn out certifications, and bill repeat renewals annually. The goal isn’t care. The goal is throughput.

And when you’re incentivized to stamp forms, not safeguard people, patient privacy becomes another line item — right next to marketing spend and Josh Erceg’s LinkedIn Premium subscription.

Fallout

For now, the only thing Ohio Marijuana Card has shut down is its public Dropbox link. The company is still fully operational, still billing patients, still advertising “fast and easy cannabis cards.”

In any real health sector, this would trigger lawsuits, federal probes, and a corporate bloodbath. In cannabis? It’s Tuesday.