[SmirkingRevenge]

I've worked in the healthcare space. HIPAA doesn't scare enough people/companies away. Not by a long shot.

Sensitive personal medical info was routinely sent, by major companies, over insecure FTP or even plaintext email, on a regular basis.

Anyone who has ever had medical benefits at any point in their lives most likely has their benefit information, along with socials and more, sitting unencrypted in databases of a plethora of small companies/medical/insurance providers whose only concern for security is a mandatory HIPAA CYA compliance lecture for their every couple of years. The rest of the time they go about sending socials and pmi through plain text email or just leave shit on their desks for anyone to pick up.

[makomk]

The firms that HIPAA scares away aren't necessarily going to be the ones that have the most dubious security practices. They're going to be the ones that have a choice between business models that involve healthcare and ones that don't, and the ones that don't think they'd make enough money to justify the exposure.