I have gotten several notices of medical data being leaked over the last two years. I thought HIPPA law had very harsh fines for this, but I guess they just look the other way.
I once worked with both PCI and HIPAA at a consulting firm. Neither had very high bars. PCI compliance was just a yes/no questionnaire that said something like "I do not store unencrypted CC numbers in my DB." No one validates the questionnaire. I just submit it and I got a shiny badge to put on my clients site.
HIPAA compliance was just a half hour webinar.
To be fair, I think HIPAA works in offline contexts (employers can't ask your doctor about your health) but as far as how easy it was for me to get access to customer CCs and medical information... Let's just say the barrier was basically nonexistent.
HIPAA doesn't have a private cause of action so if a violation happens, it's a wealth transfer to the government, it doesn't mean anything to you or any individual.
And most companies can simply price it in as cost of doing business at this point.
> I thought HIPPA law had very harsh fines for this
Not at all. The maximum fine a company has to pay is capped at $2 million per calendar year for a violation, and that's assuming it's even eligible for the highest tier of penalty.
Some companies may have paid fines, some people may have lost their jobs over incidents like these, but the repercussions aren't severe enough to be a deterrent.
