Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Detection is the gap: why audit logging and alerting can't be passive

An 18-month undetected breach shows that prevention controls without detection controls leave practices exposed for far longer than any single incident requires.

Patient Protect ResearchMay 3, 2026First reported in HIPAA Pulse →

What this incident exposes

The Oklahoma Tax Commission disclosed a breach that ran from July 2024 through December 2025 — roughly 18 months — without internal detection. According to the HIPAA Pulse report, the intrusion was surfaced through external reporting rather than the agency's own monitoring, and formal notification lagged behind public awareness of the incident. The OTC has not publicly specified the number of individuals affected or the precise intrusion vector involved.

The OTC is not a HIPAA-covered entity, but the failure mode it illustrates is directly transferable to healthcare. For independent practices holding protected health information, an undetected breach compounds daily: regulatory exposure grows, patient harm widens, and the cost differential between a short-dwell and long-dwell breach is measurable. IBM Security (2024) places the average breach lifecycle at 258 days and the average total cost at $9.8M — numbers driven heavily by how long a breach goes undetected. First reported in HIPAA Pulse → https://hipaapulse.com/oklahoma-tax-commission-discloses-18-month-data-breach-it-failed-to-detect-15bd510d

The HIPAA Security Rule provision in play

This incident implicates 45 C.F.R. § 164.312(b) — Audit Controls, which requires covered entities and business associates to implement hardware, software, and procedural mechanisms to record and examine activity in information systems containing or using ePHI. It also implicates § 164.308(a)(1)(ii)(D) — Information System Activity Review, the required implementation specification mandating regular review of audit logs, access reports, and security incident tracking reports. HHS OCR has cited failures under both provisions repeatedly in enforcement actions. Passive log generation that no one reviews satisfies neither requirement.

How Patient Protect addresses this

  • ePHI Audit Logging captures immutable, per-session access records across ePHI-touching systems — creating the evidentiary foundation that makes anomaly detection possible rather than theoretical.
  • Security Alerts deliver real-time notifications when access patterns deviate from expected behavior, converting log data into actionable signals rather than archived noise.
  • Autonomous Compliance Engine continuously recalculates a practice's compliance posture as conditions change, ensuring that detection gaps surface as risk items rather than remaining invisible until an external party finds them.
  • Security Risk Assessment (SRA) provides structured, documented periodic risk analysis — including evaluation of whether current audit and alerting controls are operating as intended — satisfying § 164.308(a)(1) and creating a defensible record for OCR.
  • Event Log maintains a searchable, audit-ready record of security-relevant activity, supporting both internal investigation and regulatory response if a breach is ultimately identified.

Practical next steps

  • Confirm your logs are actively monitored, not just stored. Verify that someone with defined accountability is reviewing access reports on a set schedule — not waiting for an alert that may never fire.
  • Establish a documented baseline of normal ePHI access. Without a baseline, anomalies are invisible; a one-time review of typical access patterns gives your team a reference point.
  • Assign explicit ownership of detection. Name the person responsible for reviewing security logs and responding to alerts. Diffuse responsibility produces detection gaps.
  • Review BAAs for vendor detection and notification obligations. EHR vendors, billing platforms, and clearinghouses that access PHI should have documented breach-detection and notification timelines in their agreements.
  • Schedule an SRA that specifically evaluates your dwell-time risk. Ask: if unauthorized access began today, how long before someone would notice?

Try Patient Protect

  • Start a free trial at hipaa-port.com → https://hipaa-port.com
  • Run a free Security Risk Assessment at patient-protect.com/risk-assessment → https://patient-protect.com/risk-assessment

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/oklahoma-tax-commission-discloses-18-month-data-breach-it-failed-to-detect-15bd510d