This sounds all too like the project I am collaborating on. It will be moderately big data (a few terabytes at most). The guys developing it just now are on their third NoSQL database - Elasticsearch.

Them: "Look at how fast it is"

Me: "You only have 3GB of data in it"

Them: "Its so fast to develop, just connect Angular straight to Elasticsearch"

Me: "Absolutely no concern given to security"

Them: "The previous project used an SQL database and ended up having so many table"

Me: "So it was probably properly designed"

I've seen this theme way too much recently- developers giving preference to their own convenience over the security of their application, or, even worse, their confidential data. Every time, however, it was due to incompetance; they didn't know what they were doing wrong.

Frameworks like Meteor.js encourage bad habits like this. Quoting straight from their homepage[1], "All the same APIs are available on the client and the server — including database APIs! — so the same code can easily run in either environment."

Running arbitrary database queries from the client cannot possibly be a good idea.

[1] https://www.meteor.com/

Ahh, hipsters.

Actually I didn't make the comment about the database being properly designed. I was at a loss as to what to say when that was the complaint.

Not even that - they say "We uploaded it into a traditional Microsoft SQL database on a 1TB drive". So it sounds like they were just using a single spindle. Purchasing an SSD for that SQL Server would probably have given comparable performance benefits.

It's small enough you can get servers that can hold it in memory....

The report also indicates that appropriate government approvals were obtained and that they protected the healthcare data appropriately. Might they have been using an appropriately secured Google cloud tool? I understand that this still doesn't tell you the country in which the data resides, but that's a lot different than posting data on the open internet or an unsecured cloud instance.