back to Axiomatic Language Home Page
Complaint about MedStar Data Breach Settlement
To: The Parties of the MedStar Settlement
From: Walter W. Wilson
This message is in response to the recent postcard notice
about the settlement for the MedStar cyberattack of October 2022,
of which I may be a victim.
I am a retired computer programmer of CAD applications for
Lockheed Martin in Fort Worth. I want to express my opinion that
the settlement is insufficiently punitive to MedStar.
First, let me thank the plaintiff(s) and plaintiff attorney(s)
for at least bringing this lawsuit. I just wished the settlement cost
to MedStar was several orders-of-magnitude greater. Is there still time?
Having spent years in software development, I have seen a lot of
sloppiness -- inadequate testing, inattention to requirement details,
lack of creativity in risk assessment, unsafe programming languages,
buggy operating systems and utilities, etc.
These deficiencies can cause significant harm and costs.
Some famous examples include the following:
Therac-25
- patients injured/died
Mars Climate Orbiter
- $125M spacecraft lost
Subaru robot bug
- unsafe vehicles had to be destroyed
Had the Subaru robot bug not been caught early, people might have died in
the unsafe vehicles.
Poor-quality software that endangers lives and is costly to
consumers and taxpayers should result in significant financial penalties to
the developers and operators.
Data breaches can usually be traced to system software bugs, bad design,
or bad practices. The 2017 Equifax breach
(link)
in which 140+ million Americans had their personal information compromised,
involved all these things and is an example of particularly egregious
corporate behavior, for which victims were insufficiently compensated.
Businesses would probably like to say a breach is entirely
the fault of an evil hacker, but I put equal or more blame
on the companies themselves for their
negligence. An analogy would be a bank that leaves its vault door open
all the time and then gets its customer's money stolen. Sure, give the
thief a long prison sentence, but also give the bank and its
managers fines for their dereliction of duty.
Our future world will see software become even more pervasive
with even greater risks to our lives and property -- self-driving cars,
pilotless airplanes, robotic surgery, software-designed bridges,
3D-printed buildings, etc.
For example, Boeing has a software system called GEODUCK
that can reportedly optimize aircraft structural parts.
But a bug in that optimization could result in a part that is too weak
-- it could fail in flight -- an airliner could crash!
Clearly the developers and operators of critical software
need to be held to a high standard of correctness and
should face significant penalties
when they fail to meet that standard.
I have an interest in the long-term goal of formal verification of software
-- proving that software is correct
(Axiomatic Language and Proof).
I suspect formal verification will become a requirement for
future critical software systems that our lives, finances,
and privacy depend on.
It so happens that formal verification is coming into practice now.
For example, Amazon Web Services uses formal methods in their cloud
system
(link).
Could MedStar have avoided this data breach had they used AWS?
If so, they should be penalized for not doing that.
I think a minimal settlement for this MedStar data breach should
include lifetime credit monitoring since the risk of identity
theft is ongoing and it should include at least $100-$1000 personal
compensation for this risk and the loss of privacy. (Aren't there also
laws against mishandling private medical information?) This
would be in addition to any specific costs that
can be traced to this breach (such as the time I've spent
writing this letter). A larger settlement like this
would set a great precedent. It would send shock waves throughout
the software industry. It would send a message that mediocrity in
software is unacceptable and could be extraordinarily costly.
Businesses would be forced to re-prioritize their
software development and operation practices
in a way that gives greater emphasis to achieving quality.
Large settlements for data breaches would encourage the progress of
formal software verification and its adoption. This could
ultimately be a huge contribution to society.
back to Axiomatic Language Home Page