Not quite as egregious, but when I worked in QA for an internally accessible, hospital record keeping web app, most of the "test" data was real customer data, and OBVIOUSLY I had complete access to prod with no particular oversight (although I'm certain logging was enabled) for HIPPA. Still, glad it was available, as going through approval processes would've been a nightmare for our implementations.
The healthcare place I worked (mid 00's) kept all the prod passwords in a text file accessible to half the company. No auditing of logins into those servers either, so who knows what was leaked.
