That’s insane. And what does researcher even mean - some random university student? What would they know about securing that data? I wonder if the people whose data is out there even know this is happening
They clearly do include "some random student" as the data can be shared with others from the eligible research group which are almost always university students who have zero clue about itsec.
I'm curious – in which context? I've worked on NIH-funded grants in academic medical centers, throughout the research lifecycle, and I've seen how both stringently data management plans are vetted, and how annual IRB certification drills the basics even into the oldest tech-phobic investigators.
That being said, I may be as pessmistic as you are: I don't think people right now grasp how standards for deidentification may no longer be enough, and how easy and automated deanonymization changes everything. Unfortunately, cuts to federal science agencies means that I doubt any well-informed guidance will come soon.