DC Cannabis Cards

I used DC Cannabis cards in November 2014 to connect me with a physician licensed to prescribe medical marijuana in DC. My visit was fine and the physician agreed that I would benefit from MMJ use and wrote me a prescription.
A year later, in December 2015, Leighanna Nierle, who I believe is an administrative assistant in the organization, sent out an email reminding me to renew my card. Instead of sending it through the secure encrypted connection like required by federal HIPAA laws, Leighanna cc’d over 500 individuals when she sent her email. So, 500 individuals who may not be comfortable with others knowing that they have used MMJ had their emails publicly shared.
I immediately emailed back saying that it was a serious violation of HIPAA and that I knew it was probably a mistake but that she should be more careful in the future. She apologized and said, «I hope this doesn’t cause you any inconvenience.» Uh, yes, having my email and private medical information (because it was an email reminding people to renew it was clear that I and the others cc’d had MMJ cards) shared is an «inconvenience.»
I called the office a couple of days later and was shocked that Leighanna answered the phone. I asked to speak with her supervisor, whose name I cannot remember, and asked him what actions he had taken to remedy the situation. He told me that they were working on sending out an apology email, which, for the record, I never received. I asked why Leighanna was still working there after violating the privacy of hundreds of people and what the repercussions were. He assured me that she felt bad and there were repercussions.
I know that this was an error, and I have also made mistakes in cc’ing on emails. But the nonchalant response to this serious error is completely unforgivable. They need to be held accountable, and I have filed a HIPAA complaint with HHS.
On top of it all, I received an email this morning asking me to review them on Unilocal,which is particularly egregious.
Bottom line: stay away from this organization. They are not professional in their practices and do not make an effort to fix their mistakes. At the very least I expected a sincere apology that I didn’t have to call and make a fuss about to receive.
There are other compassionate physicians in the city that you should use if your physician isn’t registered. You can also help them register, which is a relatively quick process. You can also call your preferred dispensary and ask them for a recommendation that is not DC Cannabis Cards.
EDIT: For those among the 500 others who had their privacy violated, you can submit a HIPAA complaint here:
The process is quick and only takes about 5 minutes.