the internet is full of organizations that, through negligence or incompetence, allow sensitive personal·information to be accessed by unauthorized parties
· take the case of Atrium Health and AccuDoc Solutions, who together allowed the health data of 2.65 million patients to be accessed by a hacker for eight days
· this is the largest breach of healthcare·data in 2018
in a notification about the incident, Atrium Health states:
As soon as AccuDoc discovered the incident, it immediately terminated the unauthorized access, engaged a forensic investigator, and took steps to secure its affected databases and enhance its security controls
Atrium Health
a few questions arise from that statement:
- why were the AccuDoc databases not secure in the first place?
- why were security controls ineffective against a hacker?
- how where they “enhanced”?
the Health Insurance Portability and Accountability Act (HIPAA) law that Atrium Health is bound to compel it to include protections for the health·information it shares with business associates such
as AccuDoc
· in this case, both Atrium Health and AccuDoc failed in their duty to protect the individually identifiable health information (personal·information) of millions of individuals through ignorance, negligence, or incompetence
unfortunately, the infrastructure these companies use to store and share this sensible information is not effective in preventing access to the information by unauthorized parties
· had strong, effective, widely·available data·encryption measures been used, the hacker would not have been able to access and view the information, which the companies claim was not downloaded
· but the hacker had access to this data for over a week
· even if the hacker did not download the data, sie would have been able to screen-capture the information and save it for later processing (that is, malfeasance)
now the personal·information of millions of patients could be available to individuals who specialize in identity theft, and can be added to personal·information databases and put up for sale
· to protect themselves, people have to get the free year of credit-monitoring service Atrium Health offers to the 700,000 people whose social·security·numbers were breached
but why are they being offered only a year of protection?
· the hacker can just wait 13 months to start eir nefarious activities, and the information may be permanently available in databases hosted in the dark·web
· these victims must renew the credit·protection service at their cost for years to come because of the malpractice of Atrium Health and AccuDoc
· this is not fair for the victims whose only mistake was choosing Atrium Health for their
healthcare needs (the company obviously did not effectively vet AccuDoc’s qualifications for handling protected personal·information)
as in years past, when slavery (the New World), child labor (the Industrial Revolution), and financial·services fraud (the stock market) were rampant, people who are abused by bad actors have little recourse
· the system is not on their side
· punishment is either nonexistent or is not commensurate with the transgressions these irresponsible companies perpetrate
· deep regret by Atrium Health is not enough to repair the damage done to its customers’ lives
· what we really need is a system that prevents malfeasance and the serious consequences that negligence and incompetence bring about
laws such as HIPAA are not effective at preventing companies from behaving badly
· just like all cars are equipped with seat belts and airbags to protect people from bodily harm, so must the internet be equipped with measures that effectively protect personal·information
· such measures must be implemented in a system that looks after people’s benefit above all
· the human·internet aims to be that system