Mass. pot dispensary accidentally shares patients’ email addresses

The state’s first medical marijuana dispensary opened in late June. The Boston Globe

Buying medical marijuana in Massachusetts got a little less anonymous Thursday morning, when the state’s lone pot dispensary accidentally shared some of its patients’ email addresses with other patients. State health officials are investigating.

Salem’s Alternative Therapies Group sent an email addressed “Dear Patient,’’ to 157 email addresses. A copy of the email obtained by listed the addresses in the CC line, meaning the recipients could see each other’s addresses. The dispensary had meant to send the email as a blind CC, or BCC, which would have kept the email addresses from being seen by all.


The breach of patient confidentiality came just as medical marijuana begins to take hold in Massachusetts. Alternative Therapies Group opened in late June, and others have obtained licenses to sell marijuana legally.

Alternative Therapies Group issued a statement Thursday afternoon, saying:

As the first dispensary open in Massachusetts, ATG is servicing patients from all the Commonwealth. As a courtesy, we sent an email to our patients with confirmed appointments for today to let them know what they can expect upon arrival. Unfortunately, the email addresses were not concealed properly. We understand the sensitivity of personal information and deeply regret this error. We assure you that proper controls will be implemented immediately to prevent this from happening in the future.

The dispensary sent another email to patients:

Alternative Therapies Group would like to extend its sincere apologies regarding the email which was sent to you earlier this morning. We mistakenly CC’d everyone instead of using BCC. We apologize for that mistake. Your privacy is a top priority, as is overall HIPPA [sic] compliance. The email was only sent to other patients. It was NOT sent to or shared with anyone in the media, nor did we use anyone’s name. We ask that you delete the email out of respect for all patients.

In a voicemail message to, Alternative Therapies Group executive director Chris Edwards called the privacy violation an “honest error.’’ He did not respond to requests for further comment. will not release the patients’ names or emails, out of respect for their medical privacy, but did contact them to invite them to comment. Some were angry to have had their information exposed, while others lauded Alternative Therapies Group for its services.

The Department of Public Health’s regulations regarding medical marijuana say patient information “is confidential and shall not be disclosed without the written consent of the individual to whom the information applies.’’

“As we would with any licensed facility, DPH is investigating the incident,’’ department spokesman Scott Zoback said in a statement. “DPH holds patient privacy and safety paramount and will take action as necessary.’’

Medical marijuana dispensaries probably are not covered by the federal Health Insurance Portability and Accountability Act (HIPAA), which governs many patient privacy protections, according to Julia Hesse, a lawyer with HIPAA expertise.


HIPAA only applies to organizations that take medical claims, while medical marijuana dispensaries offer patients services in exchange for cash, without the involvement of health insurance or electronic billing, she said.

Matt Fisher, another HIPAA attorney, said email addresses would likely qualify as protected patient information for organizations that are covered by HIPAA.

A state-by-state guide to U.S. marijuana legislation

[bdc-gallery id=”108563″]


This discussion has ended. Please join elsewhere on