Cyber Incident Victim: Oklahoma State University Center for Health Sciences

On November 7, 2017, Oklahoma State University Center for Health Sciences (OSUCHS) discovered unauthorized third-party access to folders within its computer network containing Medicaid patient billing information. The institution acted swiftly the following day by removing the compromised folders from the network and terminating the unauthorized access. OSUCHS initiated an investigation supported by an independent data security firm to assess potential data exposure. The forensic analysis could not definitively determine whether the intruder accessed or exfiltrated patient information stored in the folders. The exposed data potentially included patient names, Medicaid identification numbers, healthcare provider names, service dates, and limited treatment details. Medical records were not stored in the affected system, though investigators confirmed one social security number resided on the compromised server. OSUCHS found no evidence indicating actual misuse of the exposed information during their investigation.

OSUCHS mailed notification letters to potentially affected Medicaid patients on January 5, 2018, advising vigilance against unauthorized medical services billed to their accounts. The organization established a dedicated call center operational from 8 am to 8 pm Central Time, Monday through Friday, directing patients to verify receipt of notification letters by February 15 and report concerns to providers or Medicaid. While confirming no medical record exposure, OSUCHS acknowledged the incident might have compromised billing-related personal health information. The institution implemented enhanced security measures following the breach and emphasized its commitment to patient confidentiality through public statements. Patients were instructed to contact the call center at 1-844-551-1727 for incident-related inquiries or confirmation of potential impact.