Nevada marijuana portal back online after cybersecurity vulnerability

It’s been a rough month for Nevada’s medical marijuana program.

After taking the site down for cybersecurity risks for twice since Dec. 8, state officials on Thursday restored the medical marijuana portal, according to a press release from the state’s Division of Public and Behavioral Health. The portal is used by dispensaries to submit applications for new or renewed medical marijuana cards and to ensure patients don’t buy more than legally allowed.

That portal also stores the records for people who have applied to open or work at a medical marijuana establishment in the state.

In late December, more than 11,000 of those applications, which contained applicants’ personal information including social security numbers, birth dates, addresses and phone numbers, were available on the internet through a specific search query. The state at the time described the incident as a “cyberattack” on the program, and notified three major credit reporting agencies — Equifax, Experian and TransUnion — about the breach.

After the portal was restored Thursday, however, the state changed their wording slightly, implying a less malicious act.

“The portal was taken down for repairs after the Division was notified that it was vulnerable to a cybersecurity breach,” the press release said.

The division did not say what caused the vulnerability. A spokeswoman for the division said the investigation is ongoing and couldn’t say what the cause was.

The state first shut down the portal on Dec. 8, saying it found “some vulnerabilities” in the system. They restored it on Dec. 15, saying those issues had been corrected and that the information in the portal had not been compromised.

Public health officials noted that the full ramifications of the incident are not known.

Contact Colton Lochhead at clochhead@reviewjournal.com or 702-383-4638. Follow @ColtonLochhead on Twitter.