Directly using offshore contractors to handle sensitive data and operations is obviously a security risk, but how do you know if your contractors' subcontractors' subcontractors are within US jurisdiction? Or how do you know if a company you trust with your records is doing it?

Far be it from me to wave a protectionist flag, but I don't think I can trust business decision makers to think this far ahead. As a result of their current cost-reduction induced myopia, they're simply moving today's real costs into the future in the form of risk. In this case, the risk was individuals' private information being leaked. That means that the business isn't entirely shouldering the risk. Sure the business may lose some customers because of it, but the disclosed patients pay the highest price. And they weren't the ones who decided to take on the offshore risk in the first place. We should at least have "warning lables" for business and agencies who outsource sensitive record processing offshore.

Like I said, I'm not suggesting that offshore outsourcing be made illegal or to put tariffs on it. But in cases like this, customers should be made aware of the direct and transitive risks involved when they invest their trust in a company to handle their sensitive private information.