Return of the Hack
It happened again! Once more, a whole lot of data has been leaked, and now tons of personally identifiable information is floating around cyberspace for anyone with a web browser to find. Is that frustrating? Absolutely. But we've written before about how the data breach is usually coming from inside the company; so whoever leaked the data will get in trouble, and we'll all go back to normal, right? If only it was so simple.
According to a story first broken by ProPublica, the data breach occurred, not due to technical malfunction or user error, but simply because of ignorance. 187 servers that held the information, scattered all across the US from California to Florida, did not have any kind of password protection. That's right-- in 2019, servers with highly sensitive medical and personal information were holding that data without password protection. When will we learn?
This should be an anomaly-- maybe one server is accidentally left unprotected for a couple of hours, but then someone notices and fixes it quickly. Instead, the records of 5 million healthcare patients are free to anyone who wants them. That doesn't just stop at check up history and x-ray images. No, according to ProPublica, the leaked information includes "names, birthdates, and in some cases, Social Security numbers."
This Isn't Okay!
This isn't okay! It violates HIPAA, and the trust that we put into these places as patients. There's not really a relationship that requires trust more than between a healthcare provider and a patient, and this isn't going to do much to help build that trust up.
Data breaches are probably inevitable to some extent. In an increasingly digital world, there will be increasingly complex hacks for increasingly complex security systems. And while we won't be able to stop all attacks, we should at the very least be able to slow them down, and not leave a sign on all our data that says "Y'all come on down and grab it!" Yes, all medical data should be securely archived, but apparently asking for a measure as complicated as a password is too much.
I suppose the takeaway from this is a plea to please do the bare minimum. Because if you can't set up a password, especially when you're in charge of preventing a data breach, I'm not sure you need to be on a computer at all.