back to Axiomatic Language Home Page

Complaint about MedStar Data Breach Settlement

To:  The Parties of the MedStar Settlement
From:  Walter W. Wilson

This message is in response to the recent postcard notice about the settlement for the MedStar cyberattack of October 2022, of which I may be a victim. I am a retired computer programmer of CAD applications for Lockheed Martin in Fort Worth. I want to express my opinion that the settlement is insufficiently punitive to MedStar.

First, let me thank the plaintiff(s) and plaintiff attorney(s) for at least bringing this lawsuit. I just wished the settlement cost to MedStar was several orders-of-magnitude greater. Is there still time?

Having spent years in software development, I have seen a lot of sloppiness -- inadequate testing, inattention to requirement details, lack of creativity in risk assessment, unsafe programming languages, buggy operating systems and utilities, etc. These deficiencies can cause significant harm and costs. Some famous examples include the following:
  Therac-25   - patients injured/died
  Mars Climate Orbiter   - $125M spacecraft lost
  Subaru robot bug   - unsafe vehicles had to be destroyed
Had the Subaru robot bug not been caught early, people might have died in the unsafe vehicles. Poor-quality software that endangers lives and is costly to consumers and taxpayers should result in significant financial penalties to the developers and operators.

Data breaches can usually be traced to system software bugs, bad design, or bad practices. The 2017 Equifax breach (link) in which 140+ million Americans had their personal information compromised, involved all these things and is an example of particularly egregious corporate behavior, for which victims were insufficiently compensated.

Businesses would probably like to say a breach is entirely the fault of an evil hacker, but I put equal or more blame on the companies themselves for their negligence. An analogy would be a bank that leaves its vault door open all the time and then gets its customer's money stolen. Sure, give the thief a long prison sentence, but also give the bank and its managers fines for their dereliction of duty.

Our future world will see software become even more pervasive with even greater risks to our lives and property -- self-driving cars, pilotless airplanes, robotic surgery, software-designed bridges, 3D-printed buildings, etc. For example, Boeing has a software system called GEODUCK that can reportedly optimize aircraft structural parts. But a bug in that optimization could result in a part that is too weak -- it could fail in flight -- an airliner could crash! Clearly the developers and operators of critical software need to be held to a high standard of correctness and should face significant penalties when they fail to meet that standard.

I have an interest in the long-term goal of formal verification of software -- proving that software is correct (Axiomatic Language and Proof). I suspect formal verification will become a requirement for future critical software systems that our lives, finances, and privacy depend on.

It so happens that formal verification is coming into practice now. For example, Amazon Web Services uses formal methods in their cloud system (link). Could MedStar have avoided this data breach had they used AWS? If so, they should be penalized for not doing that.

I think a minimal settlement for this MedStar data breach should include lifetime credit monitoring since the risk of identity theft is ongoing and it should include at least $100-$1000 personal compensation for this risk and the loss of privacy. (Aren't there also laws against mishandling private medical information?) This would be in addition to any specific costs that can be traced to this breach (such as the time I've spent writing this letter). A larger settlement like this would set a great precedent. It would send shock waves throughout the software industry. It would send a message that mediocrity in software is unacceptable and could be extraordinarily costly. Businesses would be forced to re-prioritize their software development and operation practices in a way that gives greater emphasis to achieving quality. Large settlements for data breaches would encourage the progress of formal software verification and its adoption. This could ultimately be a huge contribution to society.

back to Axiomatic Language Home Page