47,000 Patients of Oklahoma Health Department Re-Notified of 2016 Data Breach

by | Dec 16, 2017

The Oklahoma Department of Human Services experienced, in April 2016,  a data breach, and while alerts were sent to affected people and the DHS’ Office of Inspector General shortly after the breach was found, a breach notice was not filed to the HHS’ Office for Civil Rights – a clear violation of HIPAA Rules.

Now, more than 18 months later the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has expired, OCR has been made aware of the violation. OCR has asked the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were affected by the violation to meet the requirements of HIPAA.

The breach happened in April 2016 when an unauthorized person gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer stored records of current and former Temporary Assistance for Needy Families patients. The data on the server included names, address details, dates of birth, and Social Security details.

Once the breach was found, Carl Albert State College secured its systems to stop further access and put in place new controls to monitor for potential breaches. In May 2016, the HHS Office of Inspector General was advised of the breach, and breach notification letters were issued to all individuals impacted by the cyberttack in August 2016. However, no breach report was transmitted to the HHS’ Office for Civil Rights.

The Oklahoma Department of Human Services, along with covering the cost of re-notifying 47,000 clients, overlooking the requirements of HIPAA to notify the HHS Secretary of the breach means the health department at risk of a massive fine for non-compliance.

Earlier in 2016, OCR issued a message to all healthcare groups that HIPAA Breach Notification Rule failures would not be acceptable tolerated when Presense Health was fined $475,000 for unnecessarily slowing the issuing of breach notification alerts. Notifications were sent one month after the 60-day Breach Notification Rule deadline had expired.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy