Oklahoma Spine Hospital email breach exposes 38,945

On July 1, 2024, the hospital detected unauthorized access to an employee email account, potentially compromising sensitive information for 38,945 individuals. 

What happened

Oklahoma Spine Hospital discovered suspicious activity in an employee's email account on or around July 1, 2024. Following an investigation that concluded on September 24, 2024, the hospital confirmed that protected health information (PHI) was stored in the compromised accounts. 

The breached data potentially included individuals’ names, birth dates, financial account and routing numbers, health insurance information, medical records, payment card details, and driver’s license numbers. A report to the Texas Attorney General indicated that Social Security numbers could be exposed, though this was not mentioned in the hospital's online notice.

What was said

The Oklahoma Spine Hospital notice states, “OSH is notifying potentially affected individuals for whom we have addresses as quickly as possible via U.S. mail to their most recent address on file.” 

Despite no evidence of misuse, the hospital recommends that affected individuals monitor their financial accounts and healthcare statements for suspicious activity.

In the know

HIPAA mandates covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates implement technical safeguards to secure PHI. 

HIPAA compliant email solutions, like Paubox, implement technical safeguards, including encryption and access controls, to protect PHI and prevent unauthorized access. Providers can also use its role-based access controls to reduce the probability of data breaches. These access controls can be regularly monitored and changed when employees change roles.

Why it matters

When employee email accounts are compromised, it exposes patients to identity theft and fraud. It also leaves organizations vulnerable to HIPAA violation fines, legal consequences, and reputational damage.

The bottom line

Healthcare providers must use a HIPAA compliant platform to prevent email-related data breaches. Additionally, organizations must enhance employee training and continuously monitor their systems to safeguard PHI and uphold data security standards.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

See also: How to respond to a data breach

What should individuals do if their data has been compromised?

If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.

Are there any costs associated with placing a fraud alert or credit freeze?

No, under US law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.