Usually they would just use an off the shelf product and extend it, so they wouldn’t produce the absolute horror story described in the article, no.

I’m not even sure what your last comment means, are you contending that it is a good thing this company violated multiple laws with sensitive patient data?

If a consultant made the same mistakes I'd expect the consultant to be held accountable, not the client business that hired the consultancy - they knew they didn't have the requisite skills and so outsourced to an "expert" (and therefore can't be judged for not knowing how to secure their software since they did everything possible)

In this case the "client" is fully liable for the security issues.

It is possible. If you select consulting that you know nothing about, and they know nothing about programming and vibe coded it for you... and maybe you dont even have a contract to held them responsible and maybe they dont really have a company either... Then I can imagine something like this.

It is physically possible for a consultant to write bad code. But you'd hope that a consultant could understand that medical data is extremely important to keep secure, and actually write it to have some level of security

There's lack of security theater and there's:

> All "access control" logic lived in the JavaScript on the client side, meaning the data was literally one curl command away from anyone who looked.

They are not the same thing.