From Facebook to Equifax to Microsoft to Marriott (and certainly thousands of smaller businesses too), data breaches happen. And they’re not always the result of some high-tech, targeted cyberattack by hackers out to steal data. Often, they’re simply accidents. Maybe data wasn’t stored properly, or information was sent to the wrong person, or a database wasn’t configured correctly. It only takes one small mistake to put people's sensitive data at risk.
We have this image of an unshaven guy in a dark basement with ten computer screens hacking away at some intelligence database. But in reality, it might just be a tired (but well-meaning!) employee who didn’t get enough sleep and accidentally clicks the wrong button, exposing a bunch of data to the world. A single misstep, often by someone trying to do their job, can lead to a breach that affects people for years.
Here are some details on the examples mentioned initially:
Facebook: In 2019, hundreds of millions of user records were exposed on a publicly accessible AWS server. No hacker was involved; someone at a third-party app of Facebook simply misconfigured the data’s security settings.
Equifax: This was a malicious breach in 2017, where hackers exploited a vulnerability to access personal data (including social security numbers and financial information) for nearly 150 million Americans. That software vulnerability had been identified elsewhere, but Equifax did not upgrade quickly enough to improve their security and avoid this issue.
Microsoft: In 2020, 250 million customer support records were accidentally exposed because of a misconfigured internal database. Yes, Microsoft itself, one of the biggest names in tech and database software, was run by humans who made a mistake, leading to a data breach.
Marriott: Hackers stole information on 500 million guests, a breach that was detected in 2018 but had been going on for years. Some breaches can be prolonged and hard to detect, silently collecting more information as time goes by.
If you’re storing data with a third party, it’s safer to think about when that data will be exposed, not if. Then ask yourself, "Do I actually need this data at all? Each piece of data you choose not to store is one less thing that can be exposed." The most secure data is the data that isn’t saved or shared with a third party in the first place.
"But wait! This random service says they value privacy and are HIPAA-compliant!" That’s great -- it's a good starting point. But that doesn’t prevent any of the above situations indefinitely. Accidents happen, and when they do, it’s your clients’ data and privacy on the line. Even HIPAA acknowledges the reality of breaches by focusing on the speed of notifying users when a breach occurs. It sets best practices for security but also recognizes that security will sometimes fail and/or mistakes happen.
This is why, at Quill, we take privacy seriously by following best practice security guidelines and we don’t store any of your data, both the summaries you submit and the notes we generate. Most importantly, our commitment to privacy is why we refuse to record entire therapy sessions. Imagine the impact on clients if those recordings were exposed. Yikes.
