“It is difficult to get a man to understand something, when his salary depends upon his not understanding it.”

— Upton Sinclair

A doctor friend told me over dinner that a colleague she works closely with was struggling with something that was creating risk of injury for patients. She’d been quietly stepping in. Covering. Handling it, because handling it was the right thing for the patient in the moment.

What left her deeply unsettled was that every option for what to do next would punish her for trying. She could go to HR, but HR exists to manage the institution’s liability, not to help two professionals figure out a patient safety problem. She could say something directly, but the colleague’s employment structure has its own protections, and the person who reports a colleague becomes the difficult one. Now your name’s on a file. Now your next review has an asterisk that could get you fired. So she’s likely to continue covering. It’s the best she can do under the circumstances, despite the risk to the patient and to herself. The institution that pays her isn’t set up to do what all doctors literally swear to: protect patients. It’s set up to protect itself. The practitioners, and the system that pays them, have conflicting goals.

That night, I stayed up until 4am doing research.

The federal Agency for Healthcare Research and Quality has tracked hospital safety culture across thousands of U.S. hospitals for over two decades. Their finding is consistent: hospitals where staff fear blame for raising problems have measurably worse patient outcomes [1].

In one controlled trial, hospital units that trained staff to speak up about safety concerns saw adverse outcomes drop 37%. Units that didn’t saw them rise 43%. More medication errors. More hospital-acquired infections. More patients dying [1].

Not because the doctors and nurses don’t care. Because the unavoidable math my friend did at our dinner table is the same math being done in every hospital in the country. And when that math runs at institutional scale, the consequence is loss of life.

At the Carl T. Hayden VA Medical Center in Phoenix, administrators kept two sets of books. When veterans called to request primary care, their names went on unofficial paper lists held in desk drawers. Only when a slot opened within the VA’s 14-day performance target did the name get moved to the official electronic system. The facility reported average wait times of 24 days. The VA Inspector General found veterans actually waited nearly 115 days [2].

The structural motivation wasn’t complicated. Wait-time performance was tied directly to bonuses and evaluations at every level, from the schedulers entering data to the senior leaders reviewing it. The VA paid $2.8 million in bonuses to senior executives that year. Every single one of the facility’s 470 senior managers received a “fully successful” performance review. The institution had figured out what it was being measured on, and gamed it. Not for the veterans on the other end of the phone. For the metric. Investigators found 1,700 veterans at Phoenix alone who had requested care and were never placed on any official list at all. Some of them died waiting.

Thomas Breen was 71. Navy veteran. He arrived at the Phoenix VA in September 2013 with blood in his urine and a history of cancer. He was told there was a seven-month waiting list. He died of bladder cancer two months later. The VA called on December 6th to schedule his appointment. He had been dead for six days [2].

The VA kept the real wait times in desk drawers. Clean numbers went into the official system. My industry has its own version of that drawer.

Accepted Exceptions, Security Be Damned

There’s something most people in corporate cybersecurity understand and almost nobody will admit to, because it can get you fired: the job isn’t protection. The job is liability management.

Compliance checklists. Audit trails. Certification frameworks that exist so an organization can point to documentation when something goes wrong. Not so that something doesn’t go wrong. The structure is built for the aftermath. Pass the audit. Satisfy the assessor. Get the certificate on file. The calendar turns. Do it again next year.

I’ve sat through enough security audits to know how they actually work. When an assessment finds a vulnerability, the organization has a formal process for keeping it open. It’s called an exception. Someone writes a sentence in a spreadsheet explaining why the risk is acceptable. The auditor notes the exception. The assessment passes. The vulnerability remains. It’s not a flaw in the process. It is the process. Real risks, documented in obscure cells on a spreadsheet nobody outside the security team will ever read. Clean certification on the wall. Same drawer. Different filing cabinet.

Verizon’s forensic team has been analyzing breach investigations for over a decade. The pattern they’ve found is worth sitting with: they have never once identified a breached company that was fully compliant at the time it was hit [3]. Not once.

Equifax held ISO 27001 certification, the international gold standard for information security management. Companies spend months preparing for that audit. EY, one of the Big Four accounting firms, signed off on it. Equifax also held two additional security certifications. Three of the most rigorous in the industry, all active, all current. Meanwhile, a known vulnerability in their web application software had a patch available. Nobody applied it for two months. Nobody’s bonus depended on applying it. Someone’s depended on passing the audit.

Attackers operated inside Equifax’s systems for 78 days without being detected. An expired security certificate had knocked their network monitoring tools offline for 19 months. The tools that would have caught the intrusion weren’t running. 147.9 million Americans had their Social Security numbers exposed. The House Oversight Committee called the breach “entirely preventable.” The Canadian Privacy Commissioner was more direct: it was “not reasonable,” the Commissioner wrote, to rely on the certification “as assurance of adequate security” when the company’s own internal tests had already identified the problems [4].

This pattern goes back at least to 2013, when Target was certified compliant on the payment industry’s own security standard two months before a breach that cost $200 million and ended the CEO’s career [5]. It’s still happening: in 2024, Change Healthcare, the company that processes roughly half of all medical claims in the United States, was breached through a login screen that didn’t require a second verification step beyond a password. $2.457 billion in damages so far. 192.7 million people affected [6].

My friend’s hospital, the VA, Equifax, Target, Change Healthcare. Different industries. Different stakes. Same structure. The institution claims to do one thing. It’s set up to reward another. The people it’s supposed to serve don’t know to ask which is which. And the people inside who do know have done the math on what happens if they speak up.

What Happens When the CEO Admits the Pizza Tastes Like Sh*t

Domino’s Pizza, late 2009. Stock at $2.83 a share. Same-store sales down nearly 5%, seven times worse than the industry average. In consumer taste tests, tied for dead last with Chuck E. Cheese. The company claimed to make good pizza. It was set up to deliver the cheapest possible ingredients as fast as possible. Every customer knew it. The company knew every customer knew it [7].

What happened next is still one of the strangest things a public company has ever done. Domino’s took its own internal focus group footage, customers calling the pizza “cardboard” and “the worst I ever had,” and aired it on national television. CEO Patrick Doyle didn’t spin it. He said the product was bad. Then the company reformulated the entire recipe from scratch, changed every ingredient, and retrained 180,000 employees across 9,000 franchise locations [7].

Revenue jumped 14.3% the next quarter. The stock rose 130% in 12 months. Domino’s eventually overtook Pizza Hut to become the largest pizza chain in the world. By 2018, David Chang was featuring Domino’s on his Netflix show Ugly Delicious and telling Stephen Colbert it was great pizza. A two-Michelin-star chef, ordering Domino’s on camera. The stock didn’t rise because the CEO was brave. It rose because he closed the gap between what the company claimed and what it was actually set up to do [7].

To be fair, there’s a version of this story that goes the other direction. Everlane, the clothing company, trademarked the phrase “Radical Transparency” and published cost breakdowns on every product. Growth was extraordinary. The company raised money at a $250 million valuation, positioning itself as a future billion-dollar brand. But the transparency was only on the price tags. Underneath, the company was set up for the same things every fashion brand is set up for: low labor costs, fast growth, maximum margins. When employees tried to unionize in 2020, the gap became visible. Leadership discouraged the union, claiming it would “reduce transparency.” Former employees published a seven-page manifesto documenting racial discrimination. The New York Times headline: “Everlane’s Promise of ‘Radical Transparency’ Unravels.” The company took on debt to cover inventory, cycled through CEOs, and by 2024 revenue had slid to a fraction of expectations and was still shrinking [8]. The union didn’t cause the decline. The decline happened because the brand’s promise and the company’s actual priorities were never aligned. You can’t slap a transparent label on top of business as usual and expect it to hold.

The Most Transparent Industry Nobody Trusts

The day after dinner, I went on a dog walk with my cousin. He’s a property and casualty insurance producer. He’d been listening to me go on about all of this, and he said something like: “I mean, at least in my line of work, it’s all spelled out clearly. Here’s what’s covered. Here’s what isn’t. Here’s the number. You signed it.”

Then he dared me to go read my own homeowners policy.

I pulled it up on my phone that night, sitting on the couch with the dog asleep on my feet.

Everything covered was listed. Everything excluded was listed. The dollar limits were explicit. The conditions under which a claim pays out were written down. Just a contract that said exactly what it would do, what it wouldn’t, and what it would cost.

The policy I’d been ignoring for three years was more readable than the terms I’d agreed to that morning to update an app on my phone. That’s not a figure of speech. When researchers tested readability across 17 different types of consumer contracts, auto insurance policies scored at a 9th-grade reading level. The most readable of any category. Credit card agreements hit 12th grade. Tech terms of service required a college education [9].

Insurance got this way because nobody trusts it. Accenture surveyed 49,000 consumers across 33 countries in 2023. Only 39% believe insurance companies have their best interests at heart [10]. That deep, persistent distrust is exactly what produced fifty years of regulation requiring clarity. Of 776 plain-language laws in the United States, 209 of them, 42%, govern insurance documents. Banking has 41. Healthcare has 23 [11]. Lawmakers looked at the insurance industry and said: we don’t trust you to be clear on your own, so we’re going to make you.

The industry fought it. Industry representatives warned regulators that changing readability standards would lead to “unintended consequences” and “new litigation.” For decades, insurers resisted every layer of consumer protection regulation that was imposed on them. And then the most regulated consumer-facing industry in the country became one of the most stable and consistently profitable.

We trust our doctors. We trust “the IT guy.” Whether someone is in cybersecurity, networking, software engineering, or desktop support, they’re all “the IT guy” to most people, and we assume they’ve got it handled. That trust is what allows medicine and cybersecurity to stay opaque. Nobody’s demanding that hospital safety reports be written at a ninth-grade reading level. Nobody’s asking to read the exceptions spreadsheet from the last security audit. We just trust that the specialists are doing what they say they’re doing.

The least trusted industry produced the most transparent document. The most trusted institutions hide the truth in desk drawers and spreadsheet exceptions.

There’s a complication, though. Trusted Choice found that 86% of homeowners say they feel confident they understand their coverage. When actually tested on basic questions about their own policy, only 29% passed [12].

The transparency is in the document. It always has been. It’s sitting in your email or your filing cabinet right now. It says exactly what will and won’t happen if your house floods, your roof caves in, your kitchen catches fire. But nobody sat down with you and walked you through it. The agent who sold you the policy earned a commission when you signed. After that, the incentive to make sure you actually understood what you bought disappeared.

Domino’s didn’t just admit the pizza was bad. They changed everything about how the company operated and made the honesty impossible to miss. The insurance industry was forced into writing the clearest consumer contract in America, and it became one of the most stable and profitable industries in the country. But the clarity stops at the document. Nobody, to my knowledge, has bothered to close that last gap.

The Question

People treat medicine, cybersecurity, and insurance like dark arts. Best left to the specialists. “The IT guy has it handled.” I’ve been the IT guy for twenty years. None of these fields are actually dark arts. They all dissolve into logic once you understand them. The VA’s wait-time system is a bonus structure. A security certification is a spreadsheet full of accepted exceptions. An insurance policy is a contract written at a ninth-grade reading level that says exactly what it will and won’t do.

The difference isn’t complexity. It’s incentive. The fields that stay opaque do so because it’s useful. Nobody questions the system when they assume only the specialists can understand it. The one industry that got forced into clarity got there because nobody trusted it enough to leave it alone.

If you run a team, a department, a company: what does your last performance review actually reward? If someone on your team saw a problem tomorrow and did the math on what happens if they name it, would they say something? Or would they do what my friend did at dinner: care about three things at once and stay quiet?

🖖

Sources

[1] Agency for Healthcare Research and Quality, Hospital Survey on Patient Safety Culture. AHRQ has administered this survey across thousands of U.S. hospitals since the early 2000s, tracking whether staff feel they’ll face blame for reporting errors or near misses. Hospitals with punitive cultures consistently show lower near-miss reporting rates, which the research associates with worse patient outcomes over time. The controlled trial finding (37% decrease in adverse outcomes in trained units vs. 43% increase in controls) is from Weaver et al. (Annals of Internal Medicine, 2013), a systematic review commissioned by AHRQ that included 33 studies; the specific trial was a cluster-randomized controlled study showing team training’s impact on adverse outcome scores. The association between punitive cultures and increased medication errors, hospital-acquired infections, and mortality is documented across multiple systematic reviews: Braithwaite et al. (BMJ Open, 2017) reviewed 62 studies and found 74% reported positive associations between safety culture and patient outcomes including reduced mortality, infections, and medication errors; Vikan et al. (BMC Health Services Research, 2023) found 76% of 34 studies showed reduced adverse events where safety culture scores were higher. AHRQ is a federal agency inside the U.S. Department of Health and Human Services. Not commercially sponsored. AHRQ Hospital Survey.

[2] VA Office of Inspector General, Interim Report (No. 14-02603-178, May 28, 2014) and Final Report (No. 14-02603-267, August 26, 2014). The Phoenix investigation found the dual record-keeping system, the 115-day actual wait time versus 24-day reported time, and 1,700 veterans never placed on official lists. Thomas Breen’s case is documented in the OIG report and corroborated by House Committee on Veterans’ Affairs hearing testimony (September 17, 2014). The $2.8 million in senior executive bonuses and the 470 senior managers receiving “fully successful” ratings are from Rep. Jeff Miller’s statement at the House Committee on Veterans’ Affairs (June 2014) and confirmed by CNN reporting. The VA’s own audit concluded that “some front-line, middle, and senior managers felt compelled to manipulate” records to meet performance goals. Schedulers were told by supervisors to “fix” appointments exceeding the 14-day target. Sharon Helman, the Phoenix VA director, received an $8,500 bonus that was later rescinded. A VA nationwide access audit (June 9, 2014) found 70% of VA facilities used unofficial wait lists. An important caveat on causation: the OIG used a standard requiring investigators to “conclusively assert” that delay caused death rather than underlying disease. Medical experts called this threshold “virtually impossible to meet.” The finding is that veterans died while waiting for care they never received, not that delayed care was the sole cause of death in every case. VA OIG Reports.

[3] Verizon Payment Security Report, 2024. Verizon’s Qualified Security Assessor practice has analyzed PCI DSS compliance data across breach investigations for over ten years. The finding that no breached company was fully compliant at the time of breach has held across every edition. Former Visa Chief Enterprise Risk Officer Ellen Richey corroborated this independently in 2018. One important nuance: this means breached companies had drifted out of compliance by the time they were hit, not that compliance itself is useless. The annual-audit-and-drift pattern is the core observation. Verizon sells compliance assessment services, which is worth knowing. Verizon Payment Security Report.

[4] House Committee on Oversight and Government Reform, “The Equifax Data Breach” (December 2018, 96 pages). The “entirely preventable” finding is the Committee’s headline conclusion. The Canadian Privacy Commissioner’s finding is from PIPEDA Report of Findings 2019-001, which explicitly states that reliance on ISO 27001 certification was “not reasonable” given that the company’s own penetration tests had identified noncompliant practices. Equifax issued a statement disagreeing with “many of the factual findings” in the House report. The 300 expired certificates, including 79 on business-critical domains, is from the House report. The $575-700 million FTC/CFPB/state settlement was reached in July 2019, with total breach costs estimated around $1.38 billion. House Oversight Equifax Report. Canadian Privacy Commissioner Finding.

[5] Senate Committee on Commerce, Science, and Transportation, “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach” (March 26, 2014). Target CFO John Mulligan confirmed the PCI DSS certification timeline in testimony before both the Senate Judiciary Committee (February 4, 2014) and Senate Commerce Committee (March 26, 2014). The $200 million figure is from Target’s SEC filings, which also include an $18.5 million multistate attorney general settlement (May 2017). Trustwave, the assessor, disputed the scope of its engagement. The finding here is structural: the certification framework failed to catch the vulnerability that was actually exploited. Senate Kill Chain Report.

[6] Change Healthcare breach, 2024-2025. Change Healthcare (a UnitedHealth Group subsidiary) disclosed the breach in February 2024. The attack was attributed to the ALPHV/BlackCat ransomware group. HITRUST certification status was reported by multiple cybersecurity outlets. The $2.457 billion cost through Q3 2024 is from UnitedHealth Group’s SEC filings (quarterly earnings reports). The $22 million ransom payment was confirmed by UnitedHealth CEO Andrew Witty in April 2024. The 192.7 million affected individuals figure comes from Change Healthcare’s notification to HHS Office for Civil Rights. The $6 billion in advance funding to healthcare providers is from UnitedHealth Group’s disclosures. Change Healthcare’s role in processing approximately half of U.S. medical claims is from the Congressional Research Service. CRS Report IN12330. UnitedHealth Group SEC Filings.

[7] Domino’s Pizza turnaround: all financial figures from Domino’s SEC filings. Stock price of $2.83 and same-store sales decline from Q4 2009 10-Q. The dead-last tie with Chuck E. Cheese in taste tests is from a 2009 consumer survey widely reported at the time, including in the company’s own turnaround documentary. The “Pizza Turnaround” campaign launched in December 2009 with a four-minute documentary posted to YouTube showing real focus group footage and CEO Patrick Doyle’s response. Revenue increase of 14.3% from 2010 annual report. The 130% stock rise within 12 months is calculated from market data. The 180,000 employees and 9,000 franchise locations are from Domino’s corporate disclosures at the time. Domino’s overtaking Pizza Hut is from industry reporting (QSR Magazine, Nation’s Restaurant News). David Chang’s Domino’s advocacy appeared in the first episode of Ugly Delicious (Netflix, 2018). He told Stephen Colbert on The Late Show (May 2018) that he grew up eating Domino’s and his taste hasn’t changed. Chang holds two Michelin stars through his Momofuku restaurant group. Domino’s SEC Filings. Pizza Turnaround Documentary on YouTube.

[8] Everlane: the $250 million valuation and billion-dollar brand trajectory are from Business of Fashion reporting. The unionization timeline, HR emails discouraging organizing, and employee manifesto were reported by The New York Times (“Everlane’s Promise of ‘Radical Transparency’ Unravels,” 2020), Vice, and Fast Company. CEO Michael Preysman acknowledged to Business of Fashion: “The brand externally had such a lofty ambition and we didn’t live up to it internally.” The company took on debt to cover inventory in 2022 (Business of Fashion, February 2024). Revenue decline and continued contraction reported by Business of Fashion (July 2025), citing a person with direct knowledge. NYT: Everlane’s Radical Transparency Unravels (may require subscription). Business of Fashion Everlane Coverage (may require subscription).

[9] MoneyGeek readability analysis, approximately 2022-2023 (original article no longer available at moneygeek.com; methodology and findings corroborated by syndicated coverage and consistent with Benoliel and Becher's independent findings). Tested 17 contract types across financial services and technology using eight readability algorithms. Auto insurance scored 9.80 grade level (most readable); credit cards 10.10; health benefits summaries 10.75; tech terms of service 12.02. MoneyGeek is a commercially sponsored insurance comparison site, which is worth noting. However, the findings align with independent academic research: Benoliel and Becher (Boston College Law Review, 2019) tested 500 major website contracts and found 498 of 500 required 14+ years of education to read. Insurance, particularly auto and property, sits meaningfully below these benchmarks. Health and life insurance score worse (grade 11-13 range), which is an honest limitation of the broader claim. Benoliel & Becher, Boston College Law Review.

[10] Accenture Global Insurance Consumer Study 2023, “People Before Policies.” Survey of 49,000 consumers across 33 global markets. The trust figure has been declining: confidence in insurers’ data stewardship dropped from 40% in 2019 to 32% in 2021. Accenture consults for insurers and has a commercial interest in findings that recommend transformation. The scale of the study and the consistency of the trend across two survey cycles make it credible even accounting for that. Accenture Insurance Consumer Study.

[11] Blasie, Michael. United States Plain Language Laws. Published in the University of Miami Law Review (2022) and expanded as a Wolters Kluwer reference (2023). First nationwide empirical survey of plain-language laws, using systematic Westlaw searches across all 50 states, DC, and federal law. Identified 776 total laws; 209 (42%) govern insurance documents. Funded by the Association of Legal Writing Directors. Not commercially sponsored. Industry resistance to readability regulation: David Snyder, VP and associate general counsel for the American Insurance Association, urged regulators to “tread carefully” and warned that changes “could lead to unintended consequences such as igniting new litigation” (InsuranceNewsNet, reporting on NAIC Consumer Connections Working Group testimony). The broader history of industry resistance to consumer protection regulation is documented in the Congressional Research Service report on insurance regulation (R44046), which describes “the largely united industry resistance to federal intervention in insurance” across multiple decades. Blasie, University of Miami Law Review. InsuranceNewsNet NAIC Readability Coverage. CRS Insurance Regulation Report R44046.

[12] Trusted Choice / Big “I” homeowners insurance awareness survey, June 2024. 400 consumers surveyed via Mfour Data Research. 86% claimed “strong understanding” of their policies. When tested: 56% didn’t know standard homeowners policies exclude floods, 70% didn’t know renovation materials aren’t covered. Only 29% passed. Trusted Choice is the consumer brand of the Independent Insurance Agents and Brokers of America, the trade association for independent agents. Their interest in findings that demonstrate the need for agents is obvious. A Guardian Service survey (2025, 2,000 homeowners via Pollfish) found a nearly identical pattern: 85% confident, 31% failed entirely. Kaiser Family Foundation (2023, independent and nonprofit) found 65% of insured adults with denied claims reported difficulty understanding what their coverage covers. Trusted Choice. KFF Consumer Experience Data.