I didn't know this format was a thing and am <i>so</i> very excited to discover it. I hope you folks enjoy reading horror stories.<p>I got a job as a Software Engineer in my current company 4.5 years ago; friend-of-a-friend sort of thing. The company had an apparently disastrous piece of software that was their main LOB. They had gone through pretty much every local consulting agency - at least once, on a few occasions they had gone back to one they had already used. It was about 10 years old and consisted of a mix of VB6(!), VB.NET, C#, F# and somehow now Node. At the time tackling a disaster like that sounded fun and I was miserable at a consulting gig. It was a 20k bump but no benefits (health or retirement), but as a single guy 6 months away from paying off his college debt I wasn't worried. I figured I'd dump a few years in then move on.<p>Three months in, I'm absolutely baffled at what the company does. I was told they handle insurance claims, basically acting as a TPA. (Important detail: I had no idea what a TPA was at the time. It's gonna matter later.) The software <i>does</i> handle claims, but they also have 10 other projects that cover a bunch of random business use cases. Apparently the CEO is a self-described "idea man" and would task the previous developer to 'prototype' his ideas from time to time. The problem was his idea of a prototype was a fully-functional application that he could sell to investors and clients - until he got bored with it and shelved it. This ended up with the company having around a half-dozen actively used products in a half-dozen markets. In addition to the TPA side of the company that was about 50% of revenue, the other half was split over 1) check cashing software, 2) HR/onboarding software, 3) some sort if discount medical visit scam, 4) some sort of MLM scam that the CEO's brother-in-law co-opted him into, 5) a random cannabis and self-help website run by some yoga guru type dude the CEO knew and finally 6) a piece of software that let helped churches organize events and donations that took about 50% of <i>any</i> transaction that was run through it as "fees" for our company. Now I could talk about any of those monstrosities at length, but this is already shaping up to be a wall so I'll skip that.<p>1.5 years later. I've wrangled the mix of VB6, VB.NET, C#, F#, PHP4, PHP5, PERL, ASP.NET WebForms and MVC, SQL Server, Postgres, MySQL still using MyISAM, god knows what other horrors I've forgotten. All of this without version control - just folders copy-pasted over and over on a 10 year old server in the closet that has no redundancy, two failing disks and one PSU out of order. The last guy had started some positive changes: moving everything over to Azure, porting everything related to the claims business into a more modern MVC app. I finished his work. I squashed about a dozen Wordpress instances into a single, multi-tenant host. Squashed out all the other languages and databases into just C#, ASP.NET, SQL Server. Ended up reducing the Azure spend by about $2000 a month. Felt good! CEO loved me. COO (my direct manager) loved me. CFO was pleased. All throughout this, I had convinced the COO to cut out all the shady, near-illegal, morally bankrupt garbage we did. No more check cashing (awful, awful industry), no more MLM of any sort, no more stealing money from churches (we kept that going, just changed our fees to a nominal amount). All the work I had done lead to a decrease in onboarding time from 2-3 days to 10 minutes and the TPA side of things was now about 85% of our revenue. Happy ending, right? Just you wait...<p>Somehow, I had not encountered a single brilliant "CEO Idea" for 1.5 years. He decided to fix that on one delightful summer day in the mid-west by announcing that we would be acquiring a healthcare startup that a buddy of his ran. Now this pissed most of the folks at the company off and is probably a good point to talk a little about the structure of said company. As mentioned, we had a CEO, COO, CFO, and "Chief of Sales" (never heard of a COS myself, but who knows). We didn't call ourselves a startup and had none of that Bay-style of startupness; we were just a small business with some investors. After the C's we had myself as the lone engineer, two sales guys, three admin-types and six or so customer service folks. None of which had healthcare or retirement benefits, mind you. So there was a bit of rancor when Mr. CEO started talking about dropping $5 mil to acquire this fancy new healthcare company. Somehow me, Mr. Software Engineer, ended up being the guy that needed to take this head-on (well, to be fair, the COO and I had great relationship). That's a tale in and of itself, but at the end of the day we ended up getting a 6% matching 401k and $500/$1000 single/family monthly reimbursement for health insurance, stopped 3-4 people from quitting, got me a whole lot of respect in the office and a fancy new title of "Chief Technical Officer" (not related to the benefits; CEO was just happy at how efficient I'd made everything) and 20k base salary increase. CTO at a company with 1 engineer. Neat. Happy ending, right? Just you wait...<p>We also got a brand new healthcare startup for about $2.5 mil in cash, $2.5 mil in stock. We got sheisted and it was our fault. While I'm no MBA, I know what due diligence is, and I intended to do it from the technical angle while our CFO handled it from the financial. Before we bought the company I made every effort to actually review what their software looked like, but was single-handled blocked by my own CEO. "We're never going to do that, Throwaway," he would say, "Other CEO is my friend! I've known him for twenty years and if he says his software is solid, it is! Just trust me." Diligence took about three months and despite dozens of arguments, I was denied <i>any</i> access to <i>anything</i> technical. All I ever got was: "Our software is in Node using MongoDB and is hosted in the cloud." Great. I was never even allowed to meet or speak to their development team (apparently 5 engineers, all of which were phenomenal). The only human being I ever spoke to at this company was the CEO. So I tried other angles, the big one being: what the hell does your software actually <i>do</i>? Their big claim to fame was 'modernizing concierge medicine using AI'. If you're like me and have no idea what concierge medicine is, it basically means your doctor comes to you because you're a rich yuppie and can't be bothered to leave your beach house to visit him. How do you enhance that using AI? I had no idea. Still don't. And so we bought the company with zero diligence done, though the CFO did say their books looked good, whatever that means. So the nightmare begins...<p>2 years in. We start onboarding people, I start onboarding the project itself. I am finally given direct developer contacts, which are a bunch of emails that <i>don't end in the same domain as the company we just bought?</i> Pardon? They're all @BobsRandomConsultingCompany. I reach out, explaining who I am, that we just acquired Project X and I need access to the code, environment, engineers - the whole nine. I get a very lovely, professional response from a Project Manager over at Bob's who lets me know that they will be sending over a contract so we can get started right away, along with their rate sheet! I'm baffled! I thought Project X had 5 internal engineers, Mr. Other CEO?! At this point I promptly aged 6 months in 6 minutes and I felt the first twinge of an ulcer growing.<p>Contract arrives, I sit down with COO and CFO and explain that we have been duped. COO is angry; CFO is not concerned until I show him the contract that Bob's sent over. The contract ye olde healthcare startup signed apparently agrees to pay for 5 fixed resources (at $200/hr!) for 40 hours of work each, per week, for a <i>period of a year</i>. Now I'm not unfamiliar with being outsourced as a resource, from a consulting company, for a fixed amount per week - but never have I seen a contract that binds you for a year, especially for 5 resources, with not one deliverable mentioned <i>anywhere</i>. Maybe my five years of consulting wasn't enough, but that blew my mind. Additionally, they sent us the server bills (AWS) and informed us we paid directly for utilization in addition to a "HIPAA Monitoring and Compliance Fee" of $3000/mo. As I had not a year ago lowered our own cloud costs to about $800/mo, this number struck me as staggering. $3000/mo base + around $2000 for the servers currently running. Also, "what the <i>fuck</i> is HIPAA" I said aloud, the only answer being the two confused shaking heads of my COO and CFO. Uh-oh...<p>Segway. The actual Project Manager of the acquired company (not the one from Bob's Hair Care IT Consulting Nail and Tire Salon) has moved in and I've finally got a victim to victimize with my <i>many, many</i> questions. She already looks harrowed before I begin my interrogation. Are people actually using this? How much do we make per visit? Visits per month? I forget the answers to these, but the end takeaway was: we bring in about $10k/mo net right now. I'm no accountant, but I'm fairly confident you can't pay the expenses of a company + a half dozen employees on $10k/mo. PM agrees - they've burnt through about $7 mil of investor cash over their 6 years of existence. No path to profitability is in sight.<p>Around the same time I've got the Project X repository (whew, at least they used source control) moved over into my world and have started reviewing the actual source. I'm no Node wizard, but I'm immediately confused as I see both Express and Hapi (two server frameworks, generally considered competition to one another) used in the same project. That's...odd. Investigation intensifies: it's a simple CRUD project that takes a form submission from a registered user, saves it in Mongo and slaps it into a queue for delivery to the given doctors email. That's really it. There's some back-end admin that allows the doctor to write some notes about their visit. Like a little baby EMR (though I had no idea what an EMR was at that time). Amusingly, it's got an Angular front-end (1.x, because why not spread salt on my wounds) that hits an Express endpoint that then <i>proxies the call to a Hapi endpoint</i>. For no reason. I can't find a single comment or piece of documentation explaining why. Icing on the cake? Their is in fact authentication used from Angular -> Express. The Hapi endpoints, however, are wide open - but surely not from the ELB, right? Certainly it's just an idiotic architectural decision that isn't <i>actually</i> exposed to the public? Nope. There's a rule in the ELB. Sweet Baby Ray's someone help me, there is a publicly accessible, completely open API that anyone could discover that gives away patient and doctor information. Huh, I wonder if the US has any sort of regulation on that kind of stuff? I should really take some time to investigate that HIPAA thing I found earlier, maybe that's got something to do with it...<p>Employment duration: unknown. My ulcer has had a baby. I think I may have had a psychotic break. I Googled HIPAA. I simultaneously shat and pissed myself, which I didn't think was possible during a panic attack, but the human body is an amazing thing. I took Thursday and Monday off from work to read through a PDF I found of this most enlightening "HIPAA" legislation. It says "SAMPLE" or "UNOFFICIAL" or some such on it, so I'm not sure how accurate it is, but whatever - I need to educate myself somehow. I spent a thrilling four days reading, re-reading, and summarizing what I understood of the several hundred page document - printed in three-column layout because why not make it more abysmal. It doesn't seem completely dire; it looks like there is some stuff we need to do if we are storing this mythical PHI, but it isn't terribly complex (at least technically!). I had already been planning encrypting everything we own, and all of our sites are already behind SSL, so this should be cake. Phew! Calm down, baby-ulcer, don't think about grand-kids quite yet. Also I found a few great summaries of the Act which I could share with my COO - but really, we need to sit down with Legal and have them explain why this was never brought up. And let's be honest, I'm not a lawyer - the professionals can handle this!<p>Legal has never heard of HIPAA. That's not good. I convince COO to ask Legal to reach out to a different Legal who specializes in healthcare. We sit down with them a few days later and our new Legal turns white after I lay out everything we do, our concerns, and the simple question: "Do we need to do any of this stuff I read about?" Turns out, having your CTO read a complex, many-hundred-pages legal document is <i>not</i> the best way to get accurate legal advice. We're fucked. We're a TPA filing insurance claims - we absolutely, 100% must comply with this Act. Oh and guess what? The Act has a delightful addition called an Omnibus, passed back in '13, that makes any possible defense we <i>might</i> have had to not comply...completely null and void. We're in what is called 'Breach'! We have fucked up. Royally and legally. Icing? We're all <i>personally</i> liable, at least to the letter of the law. But don't worry - we didn't <i>know</i> we fucked up, so the fees are an order of magnitude less. They'll only bankrupt the company 5 times over, instead of 10! Hurray!