Negligence in Data Security (PHI)

Let's just say the org needs to store data securely, and according to regulatory and legal obligations. And that some was stored in a public cloud, and I advised against that, was overruled so I added whatever protection I could. Then the vendor of a certain LineofBusiness platform suggested a manager use 3rd party Chrome extension to combine all the reported data into a single convenient pdf for report purposes, and that process takes place outside of the scope of any established security practices and agreements, and then the user loses the extension and asks me to get it back and I find out that data has been sent into the ether for months and nobody knows who or where they've been sending them to or anything else about it. Also the specific data is commonly used for identity theft.

/r/sysadmin Thread Parent