[erikerikson]

Penalties are $100-$50,000 per violation (i.e. per leak for each person), up to $1.5 million per year[0]. If in the US (I'm assuming given you mention your health insurance) you can report it to your state insurance commissioner which may have already occurred for your incidents.

[0] https://www.ama-assn.org/practice-management/hipaa/hipaa-vio...

[mapt]

"Strict Liability" is how we deal with a subset of crimes and torts - intent is not required to be proven to establish legal culpability/liability.

You're describing willful leaks by an employee, I'm condemning insufficiently competent / insufficiently conservative data security. A data security breach should incur significant penalties to the corporate entity, and those penalties should be multiplied by the number of records compromised.

These penalties should be high enough to minimize the number of records actually retained outside of cold storage, among other things.

When Equifax's breach leaks their entire database, massive social losses are occurring. We should have collectively seized that company from its shareholders for spying on us and leaking all our shit, not settled for "a year of free credit monitoring".

So when I get a letter telling me that an old insurer has had all of their patient data, names, DOB, SSN, health conditions, leaked to the darknet... and then I look it up and see it's the second time in a couple years? This is data that is in theory heavily protected. I'm out for blood.

[erikerikson]

Actually, I summarized the whole bunch which included your case. Note, for example, that the range starts with $100.

I completely agree that the offers of credit monitoring are completely insufficient. Mixing that with feelings about the credit system muddles things a bit but I'm no fan of the incompetence of that system either even though there is some social good in the underlying provision.

I'm not telling you not to be angry. You have every right to be. I would suggest noting that at some level you can end up maximizing the damage it does to you.

[panny]

There's also possible prison sentences. I just love it when someone wants to "get tough on X" when all the laws are already tough on X and just unenforced. That's how you end up with every American committing three felonies a day without knowing it.

[erikerikson]

I'll bite: examples?

[panny]

Discarding misdirected mail is a felony (18 U.S. Code § 1702). For example, you receive a flyer in the mail addressed to John Smith who previously lived at your address. If it doesn't say "John Smith OR current resident" then discarding that junk mail is a felony. You are supposed to write "Return to sender" on every piece of junk mail or correspondence not addressed to you and put it in the outgoing mail. People discard junk flyers every single day without looking at the address first. Simple things like that.

To tie back into the original discussion on HIPAA, I had a collection agency sending mail addressed to a previous resident to my address once. The return address was the clinic of the patient. I was dutifully writing RTS on every letter and putting it back in the mail, but they would not take me off their nastygram list. That was until I wrote "You know, it's a felony HIPAA violation to be leaking this patient's name and clinic to me after you've been notified of the incorrect address." The collection letters immediately stopped after I did that.

[erikerikson]

Good example. I believe the correct behavior is to write "Not at this address" rather than "Return to sender" these days

[Bender]

It's from a topic in a book [1] that is sometimes also discussed on forums. The gist of it is something to the effect of, there are so many laws and so much wiggle room in most of the laws that each person is committing multiple felonies per day without knowing it thus empowering agencies to arrest just about anyone at any given time. The United States of America has the highest incarceration rate of the world is just one small example of that.

[1] - https://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp...

[erikerikson]

I was aware of the de facto state but not the book, thank you for sharing that.

Still, I was hoping for examples.

[Bender]

Oh you meant like case law examples. It's a bit of reading but search for examples of case law where a person was convicted on technicalities but not violating the spirit of the law, sometimes later being over-turned. I don't have any examples and I hate to suggest this but maybe start with whatever LLM you use.

[erikerikson]

I avoid LLMs but wasn't concerned with case law as much as a specific law on the books, whether used or not. A peer comment offered mishandling of mail not addressed to you.