47,000 Patients of Oklahoma Health Department Re-Notified of 2016 Data Breach

The Oklahoma Department of Human Services experienced, in April 2016,  a data breach, and while alerts were sent to affected people and the DHS’ Office of Inspector General shortly after the breach was found, a breach notice was not filed to the HHS’ Office for Civil Rights – a clear violation of HIPAA Rules.

Now, more than 18 months later the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has expired, OCR has been made aware of the violation. OCR has asked the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were affected by the violation to meet the requirements of HIPAA.

The breach happened in April 2016 when an unauthorized person gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer stored records of current and former Temporary Assistance for Needy Families patients. The data on the server included names, address details, dates of birth, and Social Security details.

Once the breach was found, Carl Albert State College secured its systems to stop further access and put in place new controls to monitor for potential breaches. In May 2016, the HHS Office of Inspector General was advised of the breach, and breach notification letters were issued to all individuals impacted by the cyberttack in August 2016. However, no breach report was transmitted to the HHS’ Office for Civil Rights.

The Oklahoma Department of Human Services, along with covering the cost of re-notifying 47,000 clients, overlooking the requirements of HIPAA to notify the HHS Secretary of the breach means the health department at risk of a massive fine for non-compliance.

Earlier in 2016, OCR issued a message to all healthcare groups that HIPAA Breach Notification Rule failures would not be acceptable tolerated when Presense Health was fined $475,000 for unnecessarily slowing the issuing of breach notification alerts. Notifications were sent one month after the 60-day Breach Notification Rule deadline had expired.