The USN-3624-1: Patch vulnerabilities is fixed automatically and installed on SecureDrop production instances. It will trigger the following OSSEC alert and is expected.
OSSEC HIDS Notification. 2018 Apr 11 04:10:14 Received From: mon->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/usr/bin/patch'