Oklahoma Department of Human Services Notifies OCR of Breach Nearly 18 Months Late

In April 2016, the Oklahoma Department of Human Services experienced a data breach which affected 47,000 people. In accordance with HIPAA’s Breach Notification Rule, notifications were sent to affected individuals and the DHS’ Office of Inspector General shortly after the breach was discovered. However, an important part of HIPAA’s Breach Notification Rule was violated; breach notice was not submitted to the HHS’ Office for Civil Rights. 

OCR has been only recently been notified of the breach. HIPAA’s Breach Notification Rule stipulates that OCR should be made aware of the breach within 60 days of its discovery. It is now more than 18 months after that 60 day window closed. In response, OCR has instructed the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were impacted by the breach to meet the requirements of HIPAA.

The breach in question occurred in April 2016 when an unauthorized individual gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer contained records of current and former Temporary Assistance for Needy Families clients. Names, addresses, dates of birth, and Social Security numbers of clients were all stored on the compromised server. 

Once the breach was identified, Carl Albert State College secured its systems to prevent further access and implemented new controls to monitor for potential breaches. In May 2016, less than a month after the breach was discovered, the HHS Office of Inspector General was notified of the breach. Furthermore, breach notification letters were sent to all individuals impacted by the attack in August 2016. However, in spite adhering to the requirements of HIPAA’s Breach Notification Rule, no breach report was sent to the HHS’ Office for Civil Rights.

The Oklahoma Department of Human Services must cover the cost of re-notifying 47,000 clients. In addition to this expense, this violation of HIPAA Rules and failing to notify the HHS Secretary of the breach may result in a hefty fine being levied against the Oklahoma Department of Human Services.

Violations of HIPAA’s Rules are not tolerated by OCR. Earlier this year, OCR sent a message to all healthcare organizations that HIPAA Breach Notification Rule failures would be taken seriously when Presense Health was fined $475,000 for unnecessarily delaying the issuing of breach notification letters. Notifications were issued one month after the 60-day Breach Notification Rule deadline.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone