Massachusetts Dispensary Accidentally Shares Patient Emails

Massachusetts is moving forward, step-by-precarious-step toward a ballot initiative next year that would legalize marijuana for recreational use. In the meantime, the state’s regulators are struggling, as they are in other states, to create a regulatory infrastructure that actually works and protects patients on the medical side. They are also creating repeated delays in the name of formulating such regulations.

In Massachusetts, the delay between the voter ballot legalizing medical use and implementation has been three years. Less than three months after the first permitted dispensaries in the state began operations, according to, Salem’s Alternative Therapies Group, a state-licensed dispensary, sent an email addressed to “Dear Patient” to 157 email addresses. The recipient patients were all visible to each other because they had been carbon copied, rather than blind carbon copied.

The dispensary issued a statement apologizing for the incident to its customers within hours:

Alternative Therapies Group would like to extend its sincere apologies regarding the email which was sent to you. We mistakenly CC’d everyone instead of using BCC. We apologize for that mistake. Your privacy is a top priority, as is overall HIPPA [sic] compliance. The email was only sent to other patients. It was NOT sent to or shared with anyone in the media, nor did we use anyone’s name. We ask that you delete the email out of respect for all patients.

The matter is now under investigation by the state Department of Health.

Advocates are more concerned about the laxity of state regulations that created the possibility for such federally noncompliant operational procedures to occur than the accidental clerical oversight that caused the incident.

This situation, however, is emblematic of the problems medical patients will continue to face until medical marijuana is made legal at the federal level. The Health Insurance, Portability and Accountability Act is a federal law that makes it a federal crime to violate patient privacy, including exposing medical “records” in this case, or even exposing that an individual is a person with a condition serious enough to be a medical marijuana patient in Massachusetts. The problem, however, is that since marijuana does not federally count as “medicine,” this is yet another area where patients run huge risks. HIPAA is a fiercely contentious law at the state level, and some states may be paying lip service to a federal civil rights statute they likely think is too expensive to implement properly.

It is also still possible to be fired for medical use in every state where even medical marijuana is legal.

For this reason, compliance on the business end is also of extreme importance, and the incident in Massachusetts has not gone unnoticed in the funding community. “It is critical that dispensaries take great care with their patient data in order to keep it safe, secure, and confidential. This would be required by HIPAA in any media business environment, and should be standard best practice for any dispensary operation,” said Kris Krane, Managing Partner of 4Front Advisors. “Further, since marijuana is still federally illegal even for medical purposes, releasing patient data potentially jeopardizes the freedom of patients who could face increased scrutiny from federal law enforcement. While the chances of this are extremely slim, it is a risk that cannabis business operators simply cannot afford to take.”

Precisely because of this and other discrimination, a minor clerical error actually just violated federal and constitutional rights, including the right of due process. That creates huge liability for both patients and dispensary operators.

In a state like Massachusetts where medical marijuana is finally available to the estimated 18,000 people who qualify for it, three years after voters went to the polls to legalize its use, the lax security practices of a recently licensed dispensary are only adding to the considerable frustration of state legalization advocates.

It is also adding more flames to the fire to the “regulate marijuana like alcohol” campaign.

As Jeremy Carr, the owner of a top rated dispensary in Los Angeles, Exhale Med Center, commented about the incident, “We restrict employee access to all patient data.” Operating in patient-friendly California, Carr is also aware that the state has the most stringent patient protection laws in the country, including when it comes to marijuana privacy rights. Carr used that knowledge to create BlazeNow, an online app connecting patients to dispensaries. “I kept the patient privacy issue in mind,” he said. “Dispensaries are able to set permissions for each user so no unauthorized personnel have access to sensitive data.”

The post Massachusetts Dispensary Accidentally Shares Patient Emails appeared first on MJI News.