Another day another CE gets whacked for millions for a preventable breach. Further, if you read between the lines the CE likely got whacked for willful neglect as well because it appears to be missing basic policies and procedures. What's the excuse here? Hubris! Surely an organization of this size should have had the basics in place. Either the C-Suite was OK with thumbing its nose at the law or the compliance officer was grossly negligent. Agreeing to pay $3.5M is no small change in addition to whatever the organization had to spend on breach notification, which was likely a lot more.