Originally published at: https://boingboing.net/2019/09/21/unhealthy-practices.html
…
Let me guess: some of these were AWS instances that someone went to the trouble of making completely public for “convenience”.
I used to run an FTP server that was more security conscious than these guys.
The increasing superconductivity of information is messing with many things, for good, for bad, and/or just plain weird.
I think, even if these companies cannot be sued by individuals due to arbitration clauses, they can held liable for HIPAA violations. Substantial financial penalties are possible.
My daughter and I share a primary care physician. She can’t acknowledge that, or use our records to look at meds/conditions/whatever about conditions we both have, because of HIPAA. But anyone with an internet connection can get our scans.
Something is very wrong with our medical system, and bad security practices is only a little bit of it.
Like other areas in the U.S.'s increasingly tattered “rule of law,” HIPAA violations claims are going to be most successfully prosecuted if the claimant has a good attorney and the money to pay him/her. Remember, any claim would have to face both the medical practioner’s own malpractice-insurance-provided attorney plus any additional legal representation the accused [and if a doctor, probably in a better financial position than the claimant] can engage in his/her defense.
I’m not saying HIPAA can’t be used as both a pre-harm guardrail as well as a post-harm leverage. I am saying that a lot of us American regular folks may not be in a position to pursue justice in this way.
And certainly there is no “undo” once the harm–the breach of one’s theoretically private data like Social Security numbers etc.–has been done.
https://www.medprodisposal.com/20-catastrophic-hipaa-violation-cases-to-open-your-eyes
How did BB find my brain selfie?
This topic was automatically closed after 5 days. New replies are no longer allowed.