It sounds like there was "presence in room" data as well, which could be very bad

Unsecured fitness monitor data revealed military guard post (IIRC) activity a while back.

Corporations will be lining up to require their employees have their brainwaves harvested, so they can fire employees who aren't alert enough.

The general idea of an EEG system that posts data to a network?

Very, but there are already tons of them at lots of different price, quality, openness levels. A lot of manufacturers have their own protocols; there are also quasi/standards like Lab Streaming Layer for connecting to a hodgepodge of devices.

This particular data?

Probably not so useful. While it’s easy to get something out of an EEG set, it takes some work to get good quality data that’s not riddled with noise (mains hum, muscle artifacts, blinks, etc). Plus, brain waves on their own aren’t particularly interesting—-it’s seeing how they change in response to some external or internal event that tells us about the brain.

Not a neuroscientist either but I would imagine that raw data without personal information would not be useful for much. I can imagine that it would be quite valuable if accompanied with personal data plus user reports about how they slept each night, what they dreamed about if anything, whether it was positive dreams or nightmares etc. And I think quite a few people wouldn’t mind sharing all of that in the name of science, but in this case they don’t seem to have even tried to ask.

If they're taking patient data for research without permission, they are not ethical researchers.

I believe they use it for sleep tracking

> I would presume data privacy laws already have good precedent for health data?

Google for a list of all the exceptions to HIPPA. There are a lot of things that _seem_ like they should be covered by HIPPA but are not...

Only for "covered entities" under HIPAA (at least in the US)

An MQTT Broker just mean server, that's MQTT terminology.