Department of Revenue MITS System Illegally Accesses Confidential Patient Registry

Patients say, "Get your MITS off my meds!"

For immediate release, Wed., Dec. 11, 2013

{Denver} -- The Department of Revenue held a press conference on Wed. 12/11/13 at the headquarters of the DOR's Marijuana Criminal Enforcement Division (MCED) to unveil their multi-million dollar patient and medicine tracking system, that uses Radio Frequency Identification (RFID) chips to track every gram of cannabis in the state from "seed to sale".

The Department of Revenue admits that it illegally obtains information from the confidential medical marijuana Registry, run by the Colorado Department of Public Health and Environment (CDPHE), to confirm medical marijuana patient status, plant counts, and dosage recommendations in their new online system, called the Marijuana Inventory Tracking System (MITS).

The MITS system is designed to make sure Medical Marijuana Centers (MMCs) stay within their plant and medicine count, based on the number of patients each MMC has. However, there is no legal way for the DOR to confirm patient numbers and plant counts aside from confirming it with the constitutionally-protected confidential MMJ Registry.

The Constitution requires the CDPHE to keep a confidential Registry of medical marijuana patients who voluntarily give their name to the state in order to be protected from law enforcement. The Constitution states that law enforcement can only receive information from the Registry if they have "stopped or arrested" someone who presents them a with medical marijuana Registry ID card. The DOR-MCED is a criminal law enforcement agency, but they have not "stopped or arrested" the thousands of medical marijuana patients who have voluntarily registered so they can shop at MMCs.

A joint investigation by the Cannabis Therapy Institute, the Patient and Caregiver Rights Litigation Project, and the Cannabis Press Association reveals that the MCED says they routinely "verify registry card numbers and plant counts with CDPHE", even though it is illegal to do so. In an email dated Nov. 29 to PCRLP from the MCED's PIO Julie Postlethwait, the MCED states "we request the info on a specific card number and they (CDPHE) confirm it is current and the recommended plant count."


However, the CDPHE flatly denies Postlethwait's statement. On Nov. 15, in response to a Colorado Open Records Act (CORA) request, CDHPE's Ron Hyman, director of the Medical Marijuana Registry, wrote in an email, "Medical Marijuana Registry (MMR) information is not shared for the purpose of maintaining or updating the DOR MITS database." Hyman claimed, "The Department has not shared patient information with DOR."

When confronted with Postlethwait's comments that they do get information from CDPHE, Hyman had no response. On Dec. 5, he provided PCRLP with a copy of CDHPE's policy for dealing with law enforcement and MMC requests for patient information, which he said is "no longer in effect." He did not provide the current policy, nor did he say when the policy he sent became "no longer in effect."

In his Dec. 5 email, Hyman also stated that CDPHE has "requested a legal opinion from the Attorney General's Office regarding some of the issues raised in the State Auditor's Report, including law enforcement access to registry information, and we are awaiting their response. Once those opinions are received, we will evaluate our processes to ensure full legal compliance."

This is the second time that CTI and PCRLP have documented registry breaches by law enforcement. Previously, breaches were exposed between the Registry and the Colorado Bureau of Investigation's CCIC online interface that allows the confidential MMJ Registry to be accessed from the squad car of any local, state or federal law enforcement entity.

The CDPHE admitted they could not control what law enforcement does with the Registry with regards to the CBI. At the Board of Health meeting on Aug. 21, 2013, Hyman stated repeatedly that "We don't control what law enforcement does with the Registry information."
The DOR's breaches for the MITS database, on top of the CBI breaches for the CCIC database, prove the CDPHE cannot be trusted to keep the MMJ Registry confidential. Patients must assume that all law enforcement has access to all their patient information, especially if they have ever shopped at an MMC.

The Colorado Office of the State Auditor gave the CDPHE an "F" for maintaining a confidential Registry in June. The Auditor uncovered several incidents where the MCED tried to "verify red card information about multiple patients at one time, ranging from five to 107 patients. According to Public Health, Revenue officers wanted to determine if a dispensary's medical marijuana inventory correlated to the amount of medical marijuana authorized for the dispensary's registered patients. We question whether Revenue enforcement officers have legal authority to verify patient Registry data during their dispensary investigations, because it is unlikely that those officers have actually 'stopped or arrested' every patient associated with a particular dispensary." June Auditor's Report on CDPHE MMJ Registry, page 64

In an October 16, 2013 Board of Health hearing, Registry Director Hyman insisted that he never gave the MCED any patient information. The head IT director of the Registry testified that, even though the MCED requested information on multiple patients at once, those requests were denied. MCED's Postlethwait's email of Nov. 29 directly contradicts this.

"Patients should be concerned," says Kathleen Chippi, of the Patient and Caregiver Rights Litigation Project, who has paid for the only lawsuits ever filed in the state to try to protect patient privacy, without the help of a single MMC. "Breaches of patient confidentiality could cause the loss of child custody, employment, drivers license, occupational licenses, and firearms. MMC owners should step up to help protect their customers' privacy."


Defend the Registry



Westword Article, Marijuana patients to protest introduction of new tracking system, Dec. 11, 12013

Letters from DOR and CDPHE proving Registry Breaches with MITS tracking system

Policy on Law Enforcement and MMC Requests for Registry Application Verification (no longer in effect, per Ron Hyman on Dec. 5, 2013. Hyman provided no current polcy)

Previous Registry Breaches with CBI/CCIC Law Enforcement Database

Colorado's Radio Frequency ID Seed-to-Sale Marijuana Inventory Tracking System

RFID Seed to Sale Marijuana Inventory Tracking


Fern Epstein, a consultant with Rebound Solutions who was hired by the Department of Revenue to help design the database, gave an overview of the plan. Click here to watch the video of her presentation: