A “critical flaw” in Ohio’s process for grading medical marijuana grow applications could have allowed a state employee to change scores or manipulate other documents, the state auditor’s office found.
Two Ohio Department of Commerce employees had unlimited access to the online accounts of more than 20 application reviewers and associated documents, according to Auditor Dave Yost’s office. The employees also created and managed passwords for the application reviewers, who were only granted access to certain parts of the application.
In a Feb. 6 letter to Commerce Director Jacqueline Williams, Yost wrote that the weakness could have allowed an employee to log in as a reviewer and change scores. The “weakness,” as Yost refers to it, means auditors can’t tell whether a record was revised by an application reviewer or someone else logging in as the reviewer.
“Because of this critical flaw in the procedure’s design, neither this office, nor the public, can rely upon the cultivator application results,” Yost wrote in the letter, which was obtained by cleveland.com through a public records request.
Williams disputed that sentence but did not address the password weakness in a reply letter dated Friday that the department provided in response to questions from cleveland.com.
“My fear is that this statement could be misinterpreted to imply there is evidence of improper conduct in the awarding of Level I cultivator provisional licenses,” Williams wrote. “I therefore respectfully request that you take the statement out of your interim communication.”
The department has implemented changes to securely administer usernames and passwords, a spokeswoman said late Monday afternoon.
“While the auditor’s office hasn’t completed its review, we are continuing to separately perform a full internal review of all our processes to ensure accuracy, efficiency and security,” spokeswoman Stephanie Gostomski said in an email.
Yost declined Monday to discuss the finding further.
The commerce department announced in November that provisional cultivator licenses would be issued to 24 companies statewide — 12 large-scale growers and 12-small scale growers.
Yost’s office began reviewing the application review process after reports that the department didn’t know one scoring consultant had a felony marijuana conviction on his record and that two other consultants had possible conflicts of interest with a license winner.
The department has fiercely defended the scoring process, which shielded applicants’ identities and limited scorers’ access to only one part of the application. Department officials pledged in December to hire a third-party investigator to handle allegations of errors or wrongdoing. Gostomski told cleveland.com in January the department decided not to hire the investigator because of Yost’s audit.
Sixty-nine unsuccessful applicants have appealed their score.
Yost wrote that he wanted to inform the department of the flaw so it can address it now, as it reviews applications to test medical marijuana and make marijuana products. He recommended the department follow state IT office policy preventing personnel from accessing others’ accounts without authorization.