Covering Up Cyber Breaches
I was researching something and stumbled across a post in r/sysadmin on Reddit that begins:
I wanted to make this post for a few months now because I know we all have horror stories on this topic. It seems the only way to stop this is to make sure more IT admins are aware of their reporting requirements in regulated industry or nonregulated areas make sure they a transparent procedure for notifying customers.
It seems companies and tech vendors are being attacked with increased sophistication and they are covering up or downplaying security breaches with hippo sized lies with increased frequency. Its an open secret amongst IT admins and security professionals but definitely one of the ugliest things we have to deal with. I am currently in the midst of a very nasty Hospital provider client separation because they have been trying to avoid reporting a HIPAA breach with numerous excuses that had no merit.
Read more of the post and the replies to it on Reddit.
Would this be an acceptable time to point out that HHS was sent a formal whistleblower complaint in 2018 about a coverup that occurred in 2016 and they still have not closed the complaint with any enforcement action? How can they not impose a severe monetary penalty on a medical practice that knew it was hacked, saw evidence that the hacker had exfiltrated patient data, and told the police that they were the victims of a hack and extortion attempt — but never told the patients? The only reason the patients were ever told anything — years later — was because the hacker told DataBreaches the story of the hack and provided this site with all of the patients’ information!
The Reddit post shows that the problem of coverups is well-known and continuing. Well, why shouldn’t it continue if HHS never takes stern action when it is aware of a coverup?