Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach

Share this article on:

In April 2016, the Oklahoma Department of Human Services experienced a data breach, and while notifications were sent to affected individuals and the DHS’ Office of Inspector General shortly after the breach was detected, a breach notice was not submitted to the HHS’ Office for Civil Rights – A breach of HIPAA Rules.

Now, more than 18 months after the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has passed, OCR has been notified. OCR has instructed the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were impacted by the breach to meet the requirements of HIPAA.

The breach in question occurred in April 2016 when an unauthorized individual gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer contained records of current and former Temporary Assistance for Needy Families clients. The data on the server included names, addresses, dates of birth, and Social Security numbers.

Once the breach was identified, Carl Albert State College secured its systems to prevent further access and implemented new controls to monitor for potential breaches. In May 2016, the HHS Office of Inspector General was notified of the breach, and breach notification letters were sent to all individuals impacted by the attack in August 2016. However, no breach report was sent to the HHS’ Office for Civil Rights.

Now, not only must the Oklahoma Department of Human Services cover the cost of re-notifying 47,000 clients, overlooking the requirements of HIPAA to notify the HHS Secretary of the breach places the health department at risk of a considerable fine for non-compliance.

Earlier this year, OCR sent a message to all healthcare organizations that HIPAA Breach Notification Rule failures would not be tolerated when Presense Health was fined $475,000 for unnecessarily delaying the issuing of breach notification letters. Notifications were issued one month after the 60-day Breach Notification Rule deadline.

Author: HIPAA Journal

Share This Post On