Oklahoma alerts 47,000 clients about data breach for the 2nd time

By Jessica Davis
11:30 AM
Share
While Oklahoma’s DHS informed its clients within a few months of finding the April 2016 breach, the department failed to report the breach to U.S. Health and Human Services.
Oklahoma health department data breach

The Oklahoma Department of Human Services is notifying 47,000 clients their records may have been breached -- and it’s the second breach notification about the same incident because DHS neglected to alert the U.S. Department of Health and Human Services the first time. 

An unauthorized user accessed a state assessment computer at Carl Albert State College in Poteau, Oklahoma, in April 2016. The server contained the names, addresses, dates of birth and Social Security numbers of both current and former DHS Temporary Assistance for Needy Families clients.

The college secured the data and all organizations involved have employed monitoring efforts after the breach to prevent another attack.

Future-proofing security

Why cybersecurity is top of mind for forward-looking healthcare orgs.

The college was notified of the unauthorized access about two weeks afterward, and the DHS Office of Inspector General was notified in May 2016, while clients were notified in August 2016. However, U.S. DHS was not informed of the breach.

All Temporary Assistance for Needy Families clients whose data was on the server were informed last year of the breach. But as DHS responsibilities fall under HIPAA, HHS told the state it needed to send a second notice to those involved on Nov. 30.

The incident highlights the need for healthcare organization leaders to fully understand breach-reporting requirements as they fall under HIPAA.

And it serves as a reminder that all providers must report an incident to patients, the media and HHS within 60 days of discovering a breach.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com