from the this-why-we-can’t-have-good dept
Another day, another major privacy scandal that never goes away.
Healthcare giant Ascension – which owns 140 hospitals and assisted living facilities – said the May cyber attack compromised sensitive data on more than 5.6 million patients.
According to a filing with the Maine Attorney General and a Dec. 19 post to Ascension’s website, the attack occurred in May, but Ascension only intended to inform the victims six months later. Compromised data includes names, social security numbers, addresses, sensitive health information, Medicare/Medicaid data, payment information, and more.
But don’t worry, Ascension offers users a standard “free credit monitor” today:
“Ascension is currently in the process of notifying affected individuals. The organization also offers two years of credit and fraud monitoring, a $1 million insurance reimbursement policy, and managed ID theft recovery services. These services became effective last Thursday.
I have been involved in so many hacks that I have actually lost a company that is now giving me a free credit report for a year. Often from credit reporting companies that also cannot secure their own networks and systems.
There are a lot of moving parts here. For-profit health care systems routinely weaken their cybersecurity, creating a field day for ransomware attackers. Lax antitrust reforms mean that healthcare giants typically prioritize unprofitable giant mergers that divert attention from cybersecurity (and healthcare). Then of course you have a country that is too corrupt to enforce privacy laws.
These scandals continue to occur because companies and executives do not see the real consequences of failing to properly invest in security infrastructure. When there is regulatory action for lax privacy, it comes in the form of piddly wrist slap fines that are often litigated down to the pittance.
The corner-cutting required to generate unsustainable and unrestricted quarterly growth to Wall Street routinely has cannibalistic effects on public safety and product quality. This “enshittification” is especially problematic when it comes to health care.
Since the Supreme Court has effectively neutered the independence of most regulators, and with Congress too destructive to pass even basic privacy laws for the Internet era, you can expect nothing to change anytime soon. At least not until there is a massive, deadly, or high-profile privacy breach that finally shakes the country from its corrupt apathy.
At that point, America’s biggest companies will get together to write a meaningless modern privacy law focused primarily on legalizing incompetence, and making life more difficult for smaller competitors.
Filed Under: cyberattack, enshittification, hacked, health, privacy, ransomware, security
Company: up
