Drug-screening biz DISA took a year to disclose security breach affecting millions DISA Global Solutions, a company that provides drug and alcohol testing, background checks, and other employee screening services, this week notified over 3.3 million people that their sensitive information may have been stolen by miscreants. In a February 24 filing with the Maine Attorney General's office, the Texan firm said …
I've always opted out of drug testing. If there were some issue where I was formally accused of being intoxicated while on the job, maybe, if I was also in a position where I might be charged criminally in the aftermath of an accident.
The only reason for random drug testing was to keep companies from getting sued through only testing the stoners and alkies. "See, look, everybody has to pee in a cup, not just you." Since I don't spend any time in an unprescribed drug induced haze and only have a couple of fine bevies occasionally on my own time, it's pointless to test me.
Once you've provided a sample for any sort of testing, you have no idea what will actually be done. I expect there will be screening for drugs/alcohol, but what else? I usually have to ask the doctor what sort of screening they want to do before they draw blood or something and why. It might be a way to bulk up billing that gets paid by insurance and isn't too hard to justify. Once those tests are done, the data is somewhere and can be vulnerable. If the tests aren't done, there is no data and I find that to be much safer. With AI/expert systems, there may be awesome new tools for doctors to make a diagnosis, but it's not just your own doctor that could feed your data into such a system. All of the health data regulations in the world won't mean a toss if the data is hacked.
"Did you hear that Bob is dying?".
"No, what does he have?"
"The entire South American division"
"No, what is he dying of?"
"I didn't think to ask"
~Head Office
What if a company could (not in a legal sense) get a read on the overall health of applicants/employees to use in the decision making process about whom to hire/promote for an important role?
Having the information leaked was bad enough. But is there any possibility, however remote, that the miscreants could have changed the data, not just exfiltrated it? Mark folks as having failed a drug test, then either inform their current employers to get them fired or ransom them to not do so?
There's also the fact that DISA didn't get around to notifying the people whose data was stolen for a YEAR. That's unconscionable and should be illegal. Yes, the employers are the customers and should be informed, but the real victims are the individual workers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
