[jawns]

Wait, the main takeaway from this article is that cybersecurity sales teams now have great leads?

Facepalm.

The real takeaway should be that at every level -- government, corporate, healthcare entities, personal -- we need to rethink how we're acting in the face of these disasters.

Government should recognize that its current regulations are insufficient and look for ways to refine them.

Corporations and health-care entities should be asking themselves, "Do I really need to store this data? If so, how do I store it securely, make my systems less vulnerable to attack, make my personnel more informed about phishing, store it for the minimum amount of time, etc."

And we as individuals should be asking ourselves whether so many health-care entities need to store so much data about us.

[tyre]

This wouldn’t have solved the largest one, Change Healthcare. They are an insurance claims exchange. They have to have all of this data.

The breach was social engineering of a customer support rep.

Having worked with them, they’re absolutely necessary for healthcare (in its current form; don’t get me started) to function. The alternative is integrating with hundreds of payers (won’t happen) or doing it by fax/mail (disaster).

[jawns]

I would say that if it is possible to exfiltrate 193 M sensitive records through a social engineering attack on one customer support rep, then there are multiple failure points that they and other businesses need to address:

- better security training for employees

- don't store 193 M sensitive records in such a way that one social-engineering attack gives you access to all of them

- don't store 193 M sensitive records without appropriate encryption, and make it hard to steal both the records and the decryption mechanism.

[p2detar]

Let's not forget that cybersecurity companies may also be directly involved into hacking government institutions. Case in point - the Bulgarian TAD Group cybersec firm that allegedly hacked the National Revenue Agency in 2019.

> It is still unclear what prompted the hack. The prosecution claims that TAD Group tried to blackmail several companies to hire its services, inducing them with hacked information from their websites. However, no company has publicly complained yet. [0]

0 - https://kinsights.capital.bg/politics_and_society/2019/09/17...

[GJim]

> Government should recognize that its current regulations are insufficient and look for ways to refine them.

The shear hostility by many people on here to data protection law (hello GDPR) suggests you are going to have a hard time getting such laws passed in the USA.