In December 2013, I reported on a breach involving Cottage Health System.
In their notification to patients, which I included in that post, Cottage Health indicated that about 32,500 patients had their information exposed when a vendor removed security controls on a server. That vendor was later identified as InSync.
On September 4 of this year, HHS added the incident to their public breach tool with this entry:
Cottage Health System, CA,”InSync Computer Solutions, Inc.”, 50918, 03/11/2012, Other, Network Server, 09/04/2014,
It is not clear to me why the HHS entry shows 50,918 for the number of patients affected. Did Cottage Health subsequently update their report of the number affected?
But the HHS log also reveals another detail not disclosed in Cottage Health’s statement in 2013: the incident occurred on March 11, 2012. So patient information was exposed for nine months before Cottage Health became aware of the problem?
Of course, it’s reasonable to ask why InSync Computer Solutions never noticed their error, but Cottage Health is the entity that patients trusted with their information.
The incident does not appear as a closed investigation, so it will be interesting to see what HHS does in terms recommendations or requirements for the covered entity and its business associate.
UPDATE: In a 2015 report on a subsequent breach, NoozHawk clarified the discrepant numbers reported in this case:
In the 2013 incident, Cottage notified some 32,500 patients that their information may have been exposed by a data breach that occurred between Oct. 8 and Dec. 2 of that year.
Cottage subsequently notified another 18,000 patients about potential exposure during an expanded period — Feb. 20, 2009, to Dec. 2, 2013.