A 12,000-person network with a fragmented inventory

Cresswell Health operates a multi-state hospital network serving roughly two million patients annually, with 12,000 employees across clinical, administrative, and research functions. The privacy and information security team is responsible for protecting PHI across that footprint, and the team had built a solid HIPAA program over the past decade. What they did not have was confidence that they knew where all of the PHI actually lived.

What we found

The HIPAA inventory listed 28 systems containing PHI. After deploying Argus, the actual count came in at 73. The gap wasn't sloppy work — it was the inventory's age. Systems had been added over fifteen years through acquisitions, departmental projects, and clinical workflow changes that nobody had centralized authority to track.

The most concerning discoveries were in shared analytics environments. Notebooks with cached query results from clinical research, departmental dashboards that pulled from production for operational visibility but were never reclassified, and a data lake that aggregated from multiple sources into a system that wasn't on the HIPAA inventory at all.

Why the inventory was incomplete

The inventory was maintained through quarterly attestation: system owners confirmed what their systems contained. The process worked for systems people remembered to include. It didn't work for systems that had drifted into containing PHI through schema changes nobody flagged, or for systems that had been spun up for projects and forgotten when the projects ended.

This isn't unique to Cresswell. The pattern of inventory drift is what convinced their team that point-in-time attestation wasn't going to scale.

The new baseline

Cresswell's compliance team now treats Argus output as the system of record for PHI location. Quarterly attestation still runs, but it reconciles against continuous discovery rather than restarting from owner memory. New systems get classified within hours of meaningful data appearing in them rather than during the next review cycle.

The audit conversation has changed accordingly. When OCR examiners ask about specific data flows, the answer is in the dashboard, not in a spreadsheet that needs to be assembled.