A more timely announcement needed

Published 9:28 am Friday, August 22, 2014

When you hear of companies or government agencies that are the targets of cyber attacks, you would naturally expect that they’d let the public know in a timely manner that security systems have been breached or that information was either stolen or there was an attempt to steal. Like many of you, we were troubled by the news earlier this week of such an attack on Community Health Systems. This is the corporation that counts Southampton Memorial Hospital as one of its many assets. Thankfully, the hospital and — most importantly — its patients were reportedly not at all affected.

Based on CHS’s report to the Securities and Exchange Commission, the thieves — apparently operating somewhere out of China — got through computer security and copied “non-medical patient identification data” from the company. However, this information did reportedly include patient names, addresses, birthdates, social security numbers and telephone numbers.

As a compensatory measure, CHS intends to notify those people affected and provide them with identity theft protection services. That’s as it should be, but we’re a bit concerned by the timing of the announcement.

As also reported, the attacks happened in April and June, and the damage was confirmed in July. The question that comes to mind is why didn’t CHS notify its hospitals, etc., once the company determined what happened?