VERKADA’S EYES EVERYWHERE: HOW ONE COMPANY TURNED HOSPITALS, SCHOOLS, AND CLINICS INTO A HACKER’S PLAYGROUND

The Non-Financial Ledger

The currency of Verkada’s failure isn’t just measured in dollars from its $90 million revenue year. It’s measured in moments of stolen privacy. It is the silent, unblinking eye of a camera in a psychiatric hospital room, broadcasting a patient’s vulnerability to a stranger. It is the image of a child playing in an elementary school, their assumed safety shattered by a corporation that prioritized growth over protection. It is the capture of a person in a women’s health clinic, a place of sanctuary and private counsel, turned into an open book for anyone with the right exploit. This is the true cost, the one that never appears on a balance sheet but is paid in full by the people whose lives were laid bare.

This is a story of profound betrayal. Over 12,000 businesses, 80% of them small operations with 500 or fewer employees, bought a promise. They were sold “plug-and-play” security, a system that was “HIPAA compliant” and “secure out of the box.” They were told their data, their customers, their patients, and their employees would be safe. Instead, they were sold a vulnerability. They paid for a watchdog that was, in reality, an unlocked door. The trust they placed in Verkada was weaponized against them, turning their own security infrastructure into a tool for mass surveillance by an unauthorized intruder.

The harm extends beyond the digital realm. It creates a chilling effect that erodes the foundations of societal trust. How can a patient speak freely to a therapist when they fear the camera on the wall is not secure? How can parents feel safe sending their children to school knowing the surveillance system could be compromised? Verkada’s negligence introduces a poison of doubt into places that require absolute confidence. The damage is the quiet fear that follows you, the nagging question of who might be watching, the psychic weight of knowing your most personal moments were exposed because a company cut corners on security it sold as its primary feature.

This was not an accident. The Department of Justice complaint makes it clear this was a result of systemic, documented failure. A cybersecurity firm hired by Verkada *after* a previous breach in December 2020 flagged “several security gaps,” including weak authentication, misconfigured servers, and a lack of monitoring. They were given a roadmap to fix their broken system. They failed to follow it. The March 2021 breach was not a surprise; it was an inevitability written in the code of corporate indifference. The intruder didn’t have to be a state-sponsored genius; they just had to walk through the door Verkada left wide open.

Through the Command platform, the intruder had access to over 150,000 live customer cameras and viewed patients in psychiatric hospitals (including patients resting in hospital beds) and women’s health clinics, young children playing inside of a room, and incarcerated persons inside of their cells.

The final insult is the sheer arrogance of it all. While the system was riddled with flaws, the company’s executives and employees were busy posting fake five-star reviews online to lure in more customers. A Vice President of Engineering, an Account Executive, an Engineer—all contributing to a public facade of excellence while the internal reality was a ticking time bomb. They sold security as a product while practicing deception as a business model. The ledger shows a debt of dignity, privacy, and trust that no civil penalty can ever truly repay.

Societal Impact Mapping

Public Health

Verkada’s security failures represent a direct assault on public health infrastructure. The sanctity of medical privacy, a cornerstone of effective healthcare, was systematically undermined by the company’s fraudulent claims of “HIPAA compliance.” The Health Insurance Portability and Accountability Act exists to create a zone of trust, ensuring patients can seek care for sensitive conditions without fear of exposure. Verkada’s cameras, installed in hospitals and women’s health clinics, shattered this trust. The breach allowed an intruder to view patients in psychiatric hospitals and health clinics, an act that transforms a tool of safety into an instrument of violation.

The consequences are severe and long-lasting. When patients cannot trust that their presence in a medical facility will remain confidential, they may delay or avoid seeking necessary care. This “chilling effect” is particularly damaging for mental health services and reproductive healthcare, where stigma and privacy concerns are paramount. Verkada did not just leak data; it damaged the therapeutic relationship and erected new barriers to healthcare for countless individuals who were unknowingly recorded. The company’s actions demonstrate a reckless disregard for the delicate trust between patient and provider, a trust that is essential for a functioning public health system.

Economic Inequality

The government’s complaint reveals a predatory dynamic targeting the most vulnerable segment of the business community. According to the filing, “Approximately 80% of Defendant’s security camera and building access control customers are businesses with 500 or fewer employees.” These are not massive corporations with dedicated cybersecurity departments and legal teams to vet vendors. These are small businesses, schools, and local clinics that relied on Verkada’s marketing promises of a simple, secure solution.

By purchasing these systems, they invested significant, often strained, capital into what they believed was a best-in-class security product. Instead, they bought a liability that exposed their customers, their operations, and their own sensitive data like Wi-Fi credentials and site floorplans. The breach forced these small organizations to deal with the fallout, including increased phishing attempts and the immense reputational damage of failing to protect their clients’ privacy. Verkada profited by offloading its security responsibilities onto customers who were in the weakest position to defend themselves, a classic case of corporate negligence disproportionately harming those with the fewest resources.

Environmental Degradation

The source material provided for this investigation, a legal complaint filed by the Department of Justice, focuses exclusively on violations of information security, privacy, and marketing laws. The document details extensive failures in Verkada’s digital infrastructure and deceptive business practices.

However, the complaint does not contain any information or allegations related to environmental degradation, pollution, resource extraction, or any other form of ecological impact resulting from Verkada’s operations or products. Therefore, an analysis of the company’s environmental footprint cannot be conducted based on the evidence at hand. The primary harms documented are digital, psychological, and economic.

Legal Receipts

The case against Verkada is built on the company’s own words and documented failures. Below are direct excerpts from the Department of Justice’s complaint (Case 3:24-cv-06153), which lays out the evidence of their misconduct in methodical detail.

On Verkada’s systemic security failures: “Defendant has engaged in multiple practices that, taken individually or together, failed to provide reasonable or appropriate security for the personal information that it collected and maintained from and about customers and consumers.”

On prior warnings being ignored: “Subsequently, the cybersecurity and forensics firm that analyzed the December 2020 Mirai malware incident flagged ‘several security gaps’ that Defendant needed to address, such as misconfigured servers, weak authentication and access management, and the lack of centralized logging and alerting capabilities.”

On the scale of the March 2021 breach: “Once inside Defendant’s system, the intruder used privileged access to explore the Command platform… the intruder had access to over 150,000 live customer cameras and viewed patients in psychiatric hospitals… women’s health clinics, young children playing inside of a room, and incarcerated persons inside of their cells.”

On Verkada’s ignorance of the active breach: “After hours of exploration into Defendant’s customer support server and security camera feeds, the intruder self-reported the breach to the news media. Defendant remained unaware of the breach until a media outlet contacted Defendant for comment.”

On the scope of stolen data: “Exfiltrated several gigabytes of data containing customers’ and consumers’ information, including: (1) names, (2) email addresses, (3) physical addresses, (4) customer usernames and password hashes, (5) live camera footage, (6) video archives… (10) customers’ site floorplans… and (16) customer Wi-Fi credentials;”

On false security promises: “Since 2018 Defendant’s privacy policy has claimed that ‘[w]e will use best-in-class data security tools and best practices to keep your data safe’…. In a January 2020 interview, Defendant’s CEO stated: ‘We built a system that’s end-to-end secure… Verkada is secure out of the box.'”

On deceptive HIPAA claims: “Since at least March 2020, Defendant has told healthcare providers on its website that it can ‘[i]mprove safety across healthcare facilities with Verkada’s HIPAA compliant solution.’… A ‘Security Posture Assessment’ conducted by a third party in February 2021 concluded that, ‘[w]hile policies and controls and procedures seem to have been implemented for HIPAA[,]…evidence of compliance with [this] framework could not be located….'”

On a customer’s reaction to the HIPAA deception: “I’ve been told on a number of occasions that you were HIPAA compliant. This breach verified that isn’t actually the case….”

On fake employee reviews: “On multiple occasions… Defendant’s employees, as well as a venture capitalist who invested in Defendant… posted positive ratings and reviews of Defendant and its products on Google Maps and failed to disclose their association or current employment status with the company…. As of June 2023, almost 35% of Defendant’s Google Maps ratings and reviews were posted by Defendant’s employees or a venture capital investor.”

On illegal spam emails: “Defendant’s reliance on these campaigns has grown exponentially, sending more than 2 million commercial email messages in 2019, more than 6 million in 2020, and more than 22 million in 2021… recipients have repeatedly notified Defendant that the emails are unwanted… and that they are unable to unsubscribe from these emails despite substantial efforts.”

What Now?

Accountability for this level of negligence requires sustained public pressure. The legal system moves slowly, but the individuals behind these decisions remain in positions of power. While the complaint does not name all executives, it provides enough information to begin a watchlist.

Real change does not come from waiting for a court verdict. It comes from community action. Support local organizations advocating for digital privacy rights. Organize to demand that public institutions, especially schools and hospitals, adopt stringent, independently-verified security standards for any technology they procure. True security is a process of collective vigilance and holding power to account, not some basic ass security software or something that can be bought with the swipe of a credit card.