Comment by nativeit
3 days ago
Yep. I have clients who operate under HIPAA rules who called me out of the blue wondering where their documents had gone. Microsoft left a cheery note on the desktop saying they had very helpfully uploaded ALL of their protected patient health data into an unauthorized cloud storage account without prior warning following one a Windows 10 update.
When I used to work as a technician at a medical school circa 2008, updating OS versions was a huge deal that required months of preparations and lots of employee training to ensure things like this didn't happen.
Not trying to say that you could have prevented this; I would not be surprised if Windows 10 enterprise decided to "helpfully" turn on auto updates and updated itself with its fun new "features" on next computer restart.
Why even use windows at that point? You can train your employees to use other operating systems that won't have dark patterns to leak sensitive data.
Can't speak for the medical school but my guess is familiarity. Can't remember what the Mac landscape was like at that point but it probably wasn't vetted enough for HIPAA. And windows 7 wasn't that shitty at the time.
And even so, let's say they didn't use Windows — I'd still expect the same rigor for any operating system update.
How are they not legally liable for that?
OneDrive is HIPAA, and IRS-740, and FIPS, for this reason. It’s an allowed store for all sorts of regulated data, so they don’t have to care about compliance risk.
I'm not sure the next Joint Commission audit will be totally cool with them randomly starting to store files in the cloud with zero policy/anything around the change.