I use to work for a company that was in the health care business. We had databases full of PII (Name, Address, SSN, DOB, Insurance Membership, etc.) and none of it was encrypted. It was also copied from PROD to QA to DEV and sent overseas to our India office.

I complained loud and long about how dangerous this was and how we need to secure this data. Finally the Directory of Security for my company called me into his office and basically read me the riot act and told me I need to shut up. They were aware of the issues and were working on them and that if the clients found out about this, we could lose business.

I started looking for a new position that afternoon. I still have friends who work there and now, almost 16 months later, nothing has changed.

And from what I understand from other friends, this is more the norm than the exception.

It blows my mind!