In April 2016, the Oklahoma Division of Human Services faced a data breach, and although notices were sent to affected people and the DHS’ Office of Inspector General soon after the breach was discovered, a breach notification was not presented to the HHS’ OCR – A breach of HIPAA Laws.
Now, more than 18 months following the 60-day informing window specified in the HIPAA Breach Notice Law has elapsed, OCR has been informed. OCR has ordered the Oklahoma Department of Human Services to again inform the 47,000 Provisional Help for Needy Families clients that were affected by the breach to meet the prerequisites of HIPAA.
The breach in question happened during April 2016 after an illegal person accessed a computer system at Carl Albert State College Poteau, Oklahoma. The computer system had files of existing and previous Provisional Help for Poor Families customers. The documents on the computer network had names, dates of birth, addresses, as well as Social Security numbers.
When the breach was known, Carl Albert State College protected its systems to avoid additional access and applied fresh controls to check for possible breaches. During May 2016, the HHS Office of Inspector General was informed of the breach, and breach notification letters were dispatched to all people affected by the attack in August 2016. Nevertheless, no breach report was dispatched to the HHS’ OCR.
Now, not just the Oklahoma Division of Human Services must cover the fee of re-notifying 47,000 customers, supervising the prerequisites of HIPAA to inform the HHS Secretary of the breach puts the health division at risk of a substantial penalty for non-compliance.
Previously this year, OCR dispatched a message to all healthcare companies that HIPAA Breach Announcement Law failures would not be accepted when Presense Health was penalized $475,000 for needlessly postponing the issuing of breach notification letters. Notices were delivered one month after the 60-day Breach Announcement Law cutoff date.