About medical secrets or who needs information security?

As a result of our carelessness, I would even say the kind of razdolbaystvo which has already turned into a state threat.

"I have nothing to take, so there is no reason to worry," - so think not only the philistines, but also the leaders of non-core business. If a person has his own small business and, in excel, he maintains an accounting department, convincing him to pay for some kind of “IS” that does not bring profit is problematic. He will hope so at random. After all, violation of the integrity \ confidentiality \ accessibility may not happen, then why pay?

Every Russian company that has been subjected to a cyber attack loses an average of $ 3.3 million per year. This is stated in the report Hewlett-Packard, which the company announced at the event HP Security media day

And if “maybe not a ride”, then what will it lead to?

I will give an example from life.
Like many living people, it was possible to somehow pass medical tests in one large laboratory. And as a "trick" there is a service "results online." Pretty convenient when you do not have to go for the results.
The account is the last name and contract number. Connection on the site via https.

The whole process did not cause wariness, until I looked at the address bar.

https: // **** / print / search_ready_one /? id = 111111
')
111111 is the number of my contract in open form. Putting in the address bar the contract number from other analyzes, I saw the results without authorization and indicating the last name. And what prevented me from seeing other people's results? Only conscience. Those. neither the authorization session nor the hiding of identifiers was conducted.

In the next trip to the laboratory, I asked the girls so that they told the management that it was not nice to violate the law on medical secrets (the text of the law ).

After some time, I had to see my results again. Here is what I saw in the address bar:

https: k Q k k m m k m m k k k k htt htt

Well, I think what good fellows are. Hacked, coded. But I took my interest and put the line into the base64 decoder.
Happened:

OWQ1NDZ0Z2RmZ2ZnOW5uNTZkZmduaTExMTExMTF1aXNkZjExMW9sazk =

Again base64? Strange. Again:

9d546tgdfgfg9nn56dfgni1111111uisdf111olk9

Where 1111111 number of the contract. And the rest of the numbers? It's not clear yet. I change the contract number to the number of another study, I don’t touch the rest, I code twice and get the results of another study again explicitly without authorization!

The results indicate the full name of the phone number. For intruders, the number of scenarios is not limited:
- Phishing - to be presented by a doctor to force him to buy super medicine with home delivery.
- blackmail - surrendered to genital infections? Does your wife know? Etc…

Conclusion

At least I am not pleased. When such a delicate side of my life as medicine is available to third parties.
And today the situation has not changed, although more than a year has passed.

What I would like to ask the community:

How often do you leave personal data to different organizations? Who and in your opinion should ensure the confidentiality of your data? There are 152 FZ ( text of the law ), but who should monitor its execution?
What cases of careless handling of your data have you encountered?
Who is busy in web development why such, I dare say it, professional unfit web developers have orders?