Oklahoma Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Oklahoma's economy is anchored by energy, aerospace, and agriculture — three sectors that handle enormous volumes of sensitive operational and personal data. As the nation's fourth-largest producer of crude oil and natural gas, the state's pipeline operators, refineries, and oilfield services firms manage industrial control systems that are attractive targets for both nation-state actors and ransomware gangs. Add in the military significance of Tinker Air Force Base and the growing tech corridor in Oklahoma City, and the state presents a diverse attack surface that cybercriminals exploit with increasing frequency.

The incidents documented below are not hypothetical scenarios. Each one exposed real vulnerabilities in Oklahoma organizations and triggered real consequences — regulatory scrutiny, financial losses, and erosion of public trust. Understanding the Oklahoma cyber threat landscape starts with understanding what has already happened and why these attacks succeeded.

Major Cyber Incidents in Oklahoma: A Timeline

2011 — Oklahoma Department of Human Services Data Breach

The Oklahoma Department of Human Services (OKDHS) disclosed a breach involving a stolen laptop containing unencrypted personal information of approximately 1,200 clients. The data included Social Security numbers, dates of birth, and case information for families receiving state assistance. The incident prompted the agency to implement full-disk encryption on all portable devices and accelerated the state's adoption of data-at-rest encryption policies.

2017 — Oklahoma State University Center for Health Sciences Breach

Oklahoma State University Center for Health Sciences (OSU-CHS) reported a breach affecting approximately 279,000 patients. Attackers compromised a server containing Medicaid billing records, exposing names, Medicaid numbers, dates of birth, Social Security numbers, and treatment information. The breach was discovered during a routine security audit, and OSU-CHS subsequently invested in network segmentation and enhanced monitoring of its medical records infrastructure. The incident highlighted the vulnerability of academic medical centers that often operate with legacy systems.

2019 — Oklahoma Securities Commission Data Exposure

In January 2019, security researchers discovered that the Oklahoma Department of Securities had left millions of files exposed on an unsecured server. The exposed data included years of FBI investigations, confidential case files, Social Security numbers, and internal communications dating back decades. The server had no password protection and was accessible to anyone with the IP address. The incident generated national headlines and raised serious questions about data governance practices within Oklahoma state agencies.

2020 — Oklahoma City Indian Clinic Ransomware Attack

The Oklahoma City Indian Clinic, a federally qualified health center serving Native American patients, experienced a ransomware attack that disrupted access to electronic health records and scheduling systems. While the clinic maintained that no patient data was exfiltrated, the incident forced a temporary return to paper-based processes and affected care delivery for several weeks. The attack underscored the disproportionate impact of ransomware on community health centers with limited IT budgets.

2022 — CommonSpirit Health (Oklahoma Facilities)

CommonSpirit Health, which operates St. Anthony Hospital and other facilities in Oklahoma, was hit by a ransomware attack in October 2022 that affected operations across its national network. Oklahoma locations experienced disrupted access to electronic health records and scheduling systems. The breach ultimately affected over 623,000 patients nationwide. The attack was attributed to the Vice Society ransomware group and exposed patient names, addresses, dates of birth, and in some cases Social Security numbers and clinical information.

2023 — Integris Health Data Breach

Integris Health, Oklahoma's largest not-for-profit health network, disclosed a data breach in December 2023 affecting approximately 2.4 million patients. Attackers accessed databases containing names, dates of birth, contact information, Social Security numbers, and insurance details. Unusually, the threat actors directly contacted patients via email, threatening to sell their data on the dark web if Integris did not pay a ransom. The incident prompted multiple class-action lawsuits and became the largest healthcare data breach in Oklahoma history.

2024 — Tinker Federal Credit Union Phishing Campaign

Tinker Federal Credit Union, which serves military personnel and civilians associated with Tinker Air Force Base, disclosed a phishing incident in 2024 that compromised employee email accounts containing member financial data. The credit union implemented additional email authentication controls and mandatory security awareness training for all staff. The incident highlighted the persistent risk that phishing poses to financial institutions, even those serving security-conscious military communities.

Oklahoma's Data Breach Notification Law

Oklahoma's breach notification statute is codified in the Oklahoma Computer Crime Act, specifically 24 O.S. Section 163, known as the Security Breach Notification Act. The law requires any person or entity that owns or licenses computerized data containing personal information of Oklahoma residents to disclose a breach to affected individuals without unreasonable delay. While the statute does not specify a fixed number of days, the standard of 'without unreasonable delay' has been interpreted to generally mean within 45 to 60 days.

Oklahoma law also requires notification to the Oklahoma Attorney General if the breach affects more than a specified number of residents. Businesses must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. For a complete breakdown of these requirements, see our guide to Oklahoma cybersecurity compliance requirements.

Which Oklahoma Industries Are Most Targeted?

Energy and Oil & Gas

Oklahoma is home to major energy companies including Devon Energy, Continental Resources, and ONEOK. The state's extensive pipeline network and refining operations rely on operational technology (OT) systems that present unique cybersecurity challenges. Nation-state actors have repeatedly targeted U.S. energy infrastructure, and Oklahoma's concentration of energy and manufacturing operations makes it a priority target.

Healthcare

With major systems like Integris Health, OU Health, and SSM Health St. Anthony, Oklahoma's healthcare sector manages millions of patient records. The 2023 Integris breach alone affected 2.4 million individuals. Healthcare organizations should invest in managed IT security services to maintain continuous monitoring of electronic health record systems and network perimeters.

Aerospace and Defense

Tinker Air Force Base is Oklahoma's largest single-site employer, and the state hosts numerous defense contractors supporting aerospace maintenance and logistics. These organizations face persistent threats from nation-state cyber espionage groups targeting controlled unclassified information and supply chain access.

Agriculture and Agribusiness

Oklahoma's agricultural sector increasingly relies on precision agriculture technology, connected equipment, and cloud-based supply chain systems. While these technologies improve efficiency, they also introduce cyber risk to an industry that has historically operated with minimal IT security infrastructure. Small businesses in agriculture are particularly vulnerable to ransomware that can disrupt planting and harvest operations.

What Oklahoma Businesses Must Do After a Breach

If your Oklahoma organization experiences a data breach, the following steps are required or strongly recommended:

• Contain the breach immediately — isolate affected systems, revoke compromised credentials, and preserve forensic evidence

• Conduct a forensic investigation — determine what data was accessed, the method of entry, and whether the breach is ongoing

• Notify affected individuals without unreasonable delay under 24 O.S. Section 163, including a description of the incident and the types of information compromised

• Notify the Oklahoma Attorney General if the breach affects a significant number of residents

• Notify credit reporting agencies if the breach involves Social Security numbers or financial account information affecting a large number of individuals

• Engage legal counsel experienced in Oklahoma data breach law to ensure compliance with state and any applicable federal requirements

• Review and strengthen security controls based on the root cause analysis to prevent recurrence

How to Protect Your Oklahoma Business Before an Incident

Prevention is significantly less costly than breach response. Oklahoma businesses should build security programs that address the state's specific risk profile, including the concentration of energy infrastructure, the volume of healthcare data, and the presence of defense-related assets.

• Deploy multi-factor authentication across all remote access, email, and privileged accounts — phishing was the entry point in multiple Oklahoma breaches

• Encrypt data at rest and in transit — the 2011 OKDHS laptop breach would have been a non-event with proper encryption

• Segment networks to prevent lateral movement, particularly between IT and OT environments in energy operations

• Conduct regular penetration testing and vulnerability assessments, including assessments of OT/SCADA systems

• Establish and test incident response plans with tabletop exercises simulating ransomware and data exfiltration scenarios

• Train all employees on phishing recognition with regular simulated phishing campaigns

Many Oklahoma businesses work with managed IT services providers to maintain 24/7 monitoring and rapid incident response without the overhead of a full in-house security operations center.

Frequently Asked Questions

How quickly must an Oklahoma business report a data breach?

Oklahoma law requires notification 'without unreasonable delay' under 24 O.S. Section 163. While the statute does not specify an exact number of days, the standard is generally interpreted as 45 to 60 days. Delays beyond that window without documented justification could expose a business to enforcement action by the Oklahoma Attorney General.

What types of data trigger Oklahoma's breach notification law?

Oklahoma's Security Breach Notification Act covers personal information defined as an individual's first name or initial and last name combined with unencrypted Social Security numbers, driver's license or state ID numbers, or financial account numbers with access codes or passwords. If the compromised data was encrypted, notification may not be required.

Was the Integris Health breach the largest in Oklahoma history?

Yes. The 2023 Integris Health breach affected approximately 2.4 million patients, making it the largest data breach disclosed by an Oklahoma-based organization. The incident was notable not only for its scale but for the unusual tactic of attackers directly contacting patients to pressure Integris into paying a ransom.

Are Oklahoma energy companies required to follow specific cybersecurity regulations?

Oklahoma energy companies that operate bulk electric systems must comply with NERC Critical Infrastructure Protection (CIP) standards, which mandate specific cybersecurity controls for operational technology. Pipeline operators must follow TSA Security Directives issued after the Colonial Pipeline attack. Beyond these federal requirements, Oklahoma's own breach notification law applies to all businesses handling personal information.

Does Oklahoma have a state-level cybersecurity agency?

The Oklahoma Office of Management and Enterprise Services (OMES) Information Services division oversees cybersecurity for state agencies. OMES coordinates incident response, sets security standards for state IT systems, and works with the Oklahoma Cyber Command to address threats to state infrastructure. Local governments and private businesses must manage their own cybersecurity programs independently.

What role does Tinker Air Force Base play in Oklahoma's cyber risk profile?

Tinker AFB is home to the Oklahoma City Air Logistics Complex and serves as a major hub for aircraft maintenance and defense logistics. The base and its extensive contractor ecosystem handle classified and controlled unclassified information, making the surrounding business community a target for nation-state cyber espionage. Defense contractors in the Tinker supply chain must comply with CMMC requirements in addition to state data protection laws.