[beejhuff]

+1 on raising the ethical point. I get SO mad when I discover regular old ecommerce businesses treating their customers so poorly that they want to HIDE as much as possible about even minor security breaches...it's just flat out morally repugnant to betray the customer's trust like that, and there's no inalienable right to run a business at all...

And that's really just relating to the risk of damaging someone's credit & hassles of dealing with Identity Theft if payment info is compromised....But when you start talking about PHI and stuff like mental health issues or info about poorly understood medical conditions is being disclosed that could potentially ruin a person's entire career or destroy families / social interactions for the rest of their lives, it just goes so far beyond the pale of moral repugnance that I don't even have the words to describe it...

Since the OP got flagged, I can't comment any more on the thread and it's probably a moot point anyways, but I thought I'd at least add a few more links for anyone interested in seeing what DHS HAS been able to do re: enforcement...

- https://www.hcca-info.org/Portals/0/PDFs/Resources/Conferenc...

- https://www.propublica.org/article/small-scale-violations-of...