Oklahoma's medical marijuana authority has brought in the state's cybersecurity team to review its new MedPortal licensing system after weeks of login problems, while publicly denying online claims that the portal was hacked.
The Oklahoma Medical Marijuana Authority (OMMA) issued a short notice Tuesday stating that “recent claims that the OMMA MedPortal was hacked are false,” and said it is “working closely with the State’s cybersecurity team to protect the integrity and security of all systems.”
The denial follows a month of issues tied to OMMA’s new MedPortal, which handles applications and renewals for medical marijuana patients and businesses. In a Nov. 14 update, OMMA acknowledged “login challenges,” longer call center wait times and problems resubmitting rejected applications after the switch to the new portal.
OMMA later told licensees that email changes required for portal access are being escalated to the Oklahoma Office of Management and Enterprise Services (OMES), which manages state IT, before users can log in and complete applications.
The agency has also emphasized that the MedPortal was built with “enhanced security features” to better protect patient information and comply with state privacy law, reminding patients that third-party consultants are not allowed to access their MedPortal accounts or call OMMA on their behalf.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
OMMA’s references to working with the “state’s cybersecurity team” point to Oklahoma Cyber Command, the central cyber unit inside OMES that defends state networks, data and applications from malicious activity and unauthorized access.
For observers, that combination of prolonged authentication problems, heightened security messaging and direct involvement from Oklahoma Cyber Command is a strong cyber signal that officials are at least checking for a security issue, even as OMMA insists no hack occurred.
At the same time, OMMA’s categorical written statement carries its own constraints. Under Oklahoma’s data breach notification law, state agencies that discover a breach of unencrypted personal information must notify affected residents “in the most expedient time possible and without unreasonable delay,” subject to law enforcement needs and scoping the incident. A knowingly false public denial after confirming such a breach could expose the state to legal and political risk.
OMMA has not reported any data exposure, ransomware, or other confirmed cyberattack tied to the MedPortal rollout. The agency has instead framed the situation as short-term transition problems and told licensees they “will not be penalized due to technology issues outside of your control” during the switch to the new system.
Portal trouble is not the first technology headache for Oklahoma’s marijuana market this year. In May, thousands of business licenses were mistakenly canceled because of what OMMA described as a software glitch in its third-party licensing portal, though affected businesses were told they could keep operating while the issue was fixed.
Outside the portal, attorneys have also warned that delayed or confusing OMMA communications about renewal windows can leave cannabis businesses at risk of accidental lapses and operational disruption, intensifying concern when core systems malfunction.
Oklahoma’s medical marijuana program is unusually large: advocacy group MPP lists more than 340,000 registered patients in a state of about 4.1 million residents, among the highest participation rates in the United States. That leaves hundreds of thousands of patients and thousands of businesses dependent on the MedPortal for timely license renewals.
For now, OMMA is urging licensees who cannot log in to contact the agency, review their email address on file and wait for OMES to process authentication changes. The portal remains online, but users continue to report intermittent access issues in industry forums and social media posts.
