Fungi fallout? Ore. psilocybin data bill draws cybersecurity scrutiny

Illustration: Si Weon Kim

Oregon is the first U.S. state to have legalized psilocybin for adult use. However, a new bill proposing data collection from psilocybin users could expose vulnerable populations to cybersecurity and legal risks and create a template for other states to emulate.

Oregon legalized psilocybin use with the passage of Measure 109 in November 2020. That measure, also known as the Psilocybin Services Act, allows licensed service providers to administer psilocybin-producing mushroom and fungi products to adults aged 21 and older.

Measure 109’s passage is part of what observers call a psychedelic “renaissance,” a period of science-backed findings shifting the narrative away from the fear-based stigma surrounding these substances that arose during the so-called war on drugs. Early research suggests psilocybin could be used to effectively address a host of mental health and other medical problems.

As Oregon establishes the ground rules for psilocybin service centers, many psilocybin advocates say a new bill to collect sensitive personal data on psychedelic users could detract from these benefits. They say Senate Bill 303 could expose the centers and their clients to cybersecurity risks and even potential legal jeopardy while setting a bad precedent for other states.

A data privacy “no man’s land”

There are two models for decriminalizing psychedelics such as psilocybin, American Psychedelic Practitioners Association director of government affairs Hadas Alterman told README.

The first is a strictly regulated medical model that applies to FDA-approved drugs, such as ketamine, administered to patients in clinical settings by licensed practitioners.

The second model “allows people trained as facilitators but not necessarily doctors to provide psychedelic services to adults,” Alterman said. This second category, which dominates the national movement to relax laws related to psychedelics, “is a no man’s land” for data privacy, according to Alterman, governed only by state administrative rules, state agencies and whatever contracts are in place between the participants in the program and the service centers.

It is within this no man’s land that Democratic Oregon State Senator Elizabeth Steiner has introduced Senate Bill 303 (SB 303), which directs the Oregon Health Authority (OHA) to require licensed psilocybin service centers to collect a wealth of personal data on their clients. The data sought under the bill includes details on the race, ethnicity, preferred spoken and written languages, disability status, sexual orientation, gender identity, income, age and county of residence of each client, along with the reasons why they requested psilocybin services.

The bill requires a psilocybin service center operator to aggregate and submit this data to OHA “in a manner that protects the personally identifiable information.” However, it does not specify how these operators are supposed to defend this data. The bill also states that the authority may require service centers to collect yet-to-be-specified additional information that, “in the discretion of the authority, would be beneficial to understanding the outcomes of psilocybin services provided.”

SB 303 has sparked an outcry from the psychedelic community. “My thoughts, in general, are politicians, like the sponsor of this bill, are just overreaching with solutions looking for problems,” Mike Arnold, an attorney and founder of Silo Wellness, who plans to launch psilocybin treatment centers in Oregon, told README. “You get data for free by government edict that decreases your cost for your research. It’s a pretty good business plan for” the Oregon Health and Science University (OHSU), the ultimate recipient of the data in aggregated form.

Jon Dennis, an attorney at the Oregon firm of Sagebrush Law, told README, “This compels all licensees within the whole Measure 109 program to become kind of agents of not only the state but of a university so that the state can provide all this data directly to OHSU.”

A beacon to malicious actors

Proposed amendments to the bill would allow clients to opt out of sharing their data with the OHA. But critics of SB 303 note that service centers, which are likely to be small organizations operating on slim margins, are still obligated to collect the extensive personally identifiable data, even when their clients choose not to share it with OHA. And they say the data collection at this level could expose vulnerable populations to various harms.

The Oregon State Capitol building in Salem. Clay Gregory

One clear downside to the data collection required under the bill is the potential public exposure of service center clients’ sensitive secrets through criminal hacking. Even though Measure 109 did not legalize psilocybin based on a medical model, many service center clients are likely to seek the substance to deal with complex personal, psychological and health issues.

“I don’t care if someone sees my prostate exam results,” Arnold said. “I care if they’re looking inside my brain about the triggering traumas that have destroyed my life and all the shame and torment that’s come with that. That’s blackmail material. People who don’t know the cybersecurity space don’t realize this is fodder for evil people doing blackmail.”

Cybersecurity insurance agent Eric Rahn, Managing Director at Rahn & Associates, thinks the massive information collection mandated under SB 303 will be a juicy target for ransomware attackers. “When a hacker sees something like that, and it piques their curiosity, they’re going to start trolling,” he told README. “They’re going to start working on reputational issues. They will be doing ransomware attacks anywhere they can, and many of the [service centers] aren’t thinking about cybersecurity when they first start up.”

It’s nigh impossible for even well-financed healthcare organizations to safeguard patient or client information from malicious threat actors, even when they comply with the Health Insurance Portability and Accountability Act (HIPAA) and other requirements. This challenge was recently underscored by the Russia-linked ALPHV ransomware gang, which posted photos of Lehigh Valley Health Network breast cancer patients on the dark web after the medical provider refused to pay a ransom. One patient whose pictures were exposed has filed a class action lawsuit against the medical facility. And ransomware actors are increasingly skipping the data encryption part of their attacks to jump straight to extorting victims by threatening to expose the data exfiltrated from their networks.

Too much data?

The inability to completely protect data from threat actors is one reason a core practice surrounding personally identifiable information (PII) entails organizations collecting as little data as needed to provide services. This practice is known as data minimization.

The National Institute of Standards and Technology suggests organizations collect only PII “directly relevant and necessary to accomplish the specified purpose(s).” The EU’s General Data Protection Regulation (GDPR) also mandates that data collection be limited “to what is necessary in relation to the purposes for which they are processed.”

“We absolutely need to start focusing on data minimization,” Emsisoft threat analyst Brett Callow told README. “The primary focus in the past has always been how do we prevent intrusions? Obviously, that still has to be the objective, but I think we now need to start looking at data, realizing that there is a chance that could be exfiltrated, and working out ways to minimize the harm should that happen.”

According to the bill, OHSU, one of two medical schools in Oregon, will use the data to “evaluate the outcomes of the psilocybin services provided.” The bill’s sponsor, Dr. Steiner, is also an Adjunct Associate Professor of Family Medicine at OHSU.

Steiner said the bill “will provide researchers and policy analysts with the information needed to make recommendations to improve safety and quality of services, as well as the short- and long-term results of psilocybin therapy.” She also maintained that “the data collected will not be identifiable [at the OHA level], so client privacy will be protected.”

The other major proponent of SB 303, a non-profit organization called the Healing Advocacy Fund, said that the information collected “will help researchers and regulators understand key details of Oregon’s psilocybin therapy program, such as how effective, accessible and affordable it is.”

Steiner declined interview requests from README. The Healing Advocacy Fund executive director Sam Chapman did not respond to README’s requests for an interview.

OHSU spokesperson Erik Robinson referred questions to Steiner, saying, “OHSU is not developing this legislation, but has provided input at Senator Steiner’s request.”

Concerns over faulty data collection

Critics say the information collection program under SB 303 is neither necessary to provide services nor likely to help achieve the objectives outlined by its proponents. Josh Wolf of the Plant Medicine Law Group told README that the bill applies the wrong standard for data collection.

“If it’s medical, then this is a medical program. But if it is a medical program, then treat it like one,” Wolf said. “And I can’t think of any other situation in which a medical program would be exposed to this kind of data collection. What SB 303 is proposing is just haphazardly requiring data points to be kept. And in most instances, they’ll end up being incomplete.”

Peter H. Addy, an Oregon psychotherapist who conducts psychedelic-informed psychotherapy and a former Yale School of Medicine faculty member, told README that expecting mom-and-pop service centers with no healthcare experience to collect the data adequately is a stretch.

“I can tell you from personal experience that people with no research background who have no incentive to collect good research data are not going to collect good research data,” Addy said.

The bill could also add to licensees’ costs, according to Dennis of Sagebrush Law, “because they’re compelled to not only compile this data and to collect it but then to store it, manage it and submit it.” Those costs could be passed onto customers.

“Weird times” for law enforcement

Federal law classifies psilocybin as a Schedule I drug with no recognized medical use, meaning that it is subject to federal law enforcement. Psilocybin distribution risks punishments that can include a financial penalty of between $1 million and $5 million and a prison sentence of up to 20 years. Possession can carry up to one year in prison and a minimum fine of $1,000, depending on the circumstances.

“We’re living in weird times where you have these federally illegal substances that are very much legal at the state level,” Wolf said.

All it would take for the information collected by the service centers to be subject to a federal subpoena is a new presidential administration that wants to crack down on state-level legalization of psychedelics, he said. “It raises [interesting legal issues] when you have a government entity essentially telling people engaged in criminal activity to track the criminal activity.”

There is some precedent for the federal government seeking sensitive information on Schedule I substance users in Oregon. Cannabis, for example, is still a Schedule I drug despite widespread state and local legalization. Oregon legalized cannabis for medical use in 1998. Despite Oregon’s law, in 2007, the Drug Enforcement Administration issued subpoenas to the Oregon Medical Marijuana Program, which gives permits to patients and their authorized growers, to obtain the medical records of 17 Oregon medical-marijuana patients.

According to Wolf, no aggregation or other data protection methods can shield service centers from a federal subpoena. “Once you throw a federal government subpoena in there, it’s a different issue,” he said.

Moreover, SB 303 collects far more data and offers significantly less protection of psilocybin user data than the 2015 Oregon law that legalized the recreational use of cannabis. Wolf said, “if you go into a dispensary, they take your ID, they check it, but they’re not tracking your address. They’re not putting down your sexual orientation.”

Finally, in addition to federal prosecution, excessive data collection and retention can lead to other kinds of legal harm and even “infringe individual fundamental rights.” Reproductive healthcare advocates, for example, warn that prosecutors can use data from brokers, apps, smartphones and browsers against people seeking pregnancy termination in a post-Roe world.

Creating an imperfect model for other states

As the first state to legalize psilocybin for adult use, Oregon is setting precedents for how other states and municipalities could adopt their own programs. “There are many states that are definitely looking at Oregon for how this is going to go and what lessons we can learn,” Addy, the Oregon psychotherapist, said. “We’re kind of the beta testers.”

Two years after Oregon passed Measure 109, the voters of Colorado passed Proposition 122, making Colorado the second state in the country to enact a regulated access program for natural medicine, including psilocybin and psilocin, and, by 2026, other medicines. In addition, more than 20 other states and around a dozen municipalities have decriminalized the use of psychedelics or introduced legislation that relaxes laws surrounding the criminalization of psychedelics.

Psilocybin advocates worry that whatever data Oregon collects under SB 303, with all its problems, could form the policy and legal foundations for other states, replicating an imperfect model for the nascent psychedelic sector. Even before SB 303 was introduced, Graham Boyd, Founding Executive of the New Approach PAC, urged psychedelic researchers to think of Oregon to expand their data set. “If you are a researcher and you’re thinking about whatever questions around psychedelics you want answered, think about Oregon as a place to potentially add to your data set and soon Colorado as well,” he said in a presentation last November.

If SB 303 becomes law, which many observers say is likely, the best solution to protect clients’ data is for service centers to implement strict cybersecurity practices and follow them. But spending money on cybersecurity is likely to be a low priority for most service centers, Arnold said.

“If you’re already running a very tight margin and you’re being told by your cybersecurity insurance agent and your cybersecurity firm that you need to spend an extra thousand dollars a month to protect your clients, to protect yourself from the chance of having a breach and then being extorted or sued, and a thousand dollars a month keeps the lights on, what do you think they’re going to do?”