CoPilot Provider Support Services notifies 220,000 of data security breach in 2015
UPDATE: As of January 24, CoPilot continues to ignore inquiries sent by this site asking for explanations of why it took so long to notify/disclose this breach.
But I see a lot of commenters asking this site/me for information. I don’t have any information to share with you other than what is in the post below from them. Call THEM with your questions. I cannot respond to commenters asking me to provide them with their information because I don’t have it – CoPilot does.
More than one year after it first learned of a possible breach involving its web sites, CoPilot Provider Support Services is notifying patients of doctors who used their service. It’s not clear from their available notification to state attorneys general and notification to those affected whether they suspect an insider breach or if this was a case where a researcher uncovered a leak and downloaded proof, or what. CoPilot did not immediately respond to inquiries sent by DataBreaches.net asking them about that, about why it took so long to notify individuals, and whether they are covered by HIPAA. This post will be updated if more information becomes available.
Here’s the press release they issued yesterday:
Today, CoPilot Provider Support Services, Inc. (“CoPilot”) announced it has been made aware of and managed an unauthorized access of one of its databases used by healthcare professionals and notified patients whose information may have been included in the impacted database. Although CoPilot does not have evidence to suggest that any patient information was distributed or misused for purposes of identity theft or to cause financial harm, CoPilot has proactively notified patients out of an abundance of caution.
The database, intended for healthcare professionals in the U.S. to advise patients on whether certain aspects of treatment are covered by insurance, was illegally accessed in October 2015, including limited information of approximately 220,000 individuals, such as patient name, gender, date of birth, address, phone number, health insurer, and in some instances Social Security numbers. CoPilot learned of this incident on December 23, 2015, and immediately launched an investigation and implemented additional security measures. Based on a comprehensive cybersecurity investigation, it was determined that no financial information, medical treatment records or other sensitive information was accessed.
CoPilot has sent letters to patients whose information was in the impacted database to provide guidance about how they can protect themselves. CoPilot has offered identity theft protection services to affected individuals and encouraged those individuals to regularly check their financial institution statements, account statements, and any other relevant accounts for possible unauthorized activity, and to immediately contact their institutions to report any suspicious activity.
CoPilot recognizes the importance of protecting patient information and is committed to taking steps to prevent this type of incident from occurring again in the future, including the monitoring of its databases by K2 Intelligence, Inc., an independent and nationally renowned forensic IT firm.
The company set up a dedicated call center for patients with questions, which can be reached at (855) 205-6948, Monday through Friday from 9 a.m. to 6 p.m. Eastern Time, excluding major holidays.
About CoPilot Provider Support Services, Inc.
CoPilot is a fully integrated healthcare administrative services and information technology organization supporting providers in understanding the complexities of health insurance benefits, coding, coverage, and payments for each of their patients to ensure optimal treatment and better healthcare outcomes. CoPilot leadership includes executives with managed care, government, healthcare IT, call center and innovative portal development/operations experience.
The following is a template of their notification letter:
Re: Notice of Data Security Incident
Dear <<MemberFirstName>> <<MemberLastName>>,
<<Date>> (Format: Month Day, Year)
On behalf of CoPilot Provider Support Services, Inc. (“CoPilot”), I am writing to notify you of a data security incident that rst occurred in October of 2015, which may have involved your personal information.
CoPilot maintains a particular website, www.monovischcp.com,1 used by physicians to help determine whether insurance coverage is available for ORTHOVISC® and MONOVISC® injections. This website may have been used by your physician’s office to make an inquiry about your insurance coverage for these injections. On December 23, 2015, CoPilot received complaints claiming that personal information submitted to the site, including health information, was accessible for downloading from the website. CoPilot immediately launched an investigation and retained a leading cybersecurity consulting firm to assist in its investigation of what occurred.
As a result of CoPilot’s investigation, CoPilot believes that it identified the individual who accessed CoPilot’s database through unauthorized means and downloaded certain health information, and that the data was not accessible for downloading by the general public from the website. Subsequently, CoPilot referred the matter to law enforcement. Our understanding is that the law enforcement investigation supports CoPilot’s conclusion about the identity of the responsible individual.
What Information Was Involved?
The data accessed may have contained information such as your name, gender, date of birth, address, phone number, and medical insurance card information. It is important to note that your Social Security number was not included. No medical records, or specific diagnosis or treatment information was involved in this incident, although the fact that your information was in our database, in connection with other information, could suggest that an inquiry was made regarding whether you had insurance coverage for ORTHOVISC® or MONOVISC® injections.
What we are doing.
We are committed to protecting your information and using it in an appropriate manner. We sincerely apologize for any inconvenience this incident may cause. We are taking steps to address the situation and to further protect against a similar incident in the future, including utilizing enhanced verification, enhanced encryption and implementing increased security audit activity.
At this time, we have no reason to believe that your particular data was targeted, or misused, or that it will be further accessed or disclosed in a manner that exposes you to any significant risk of identity theft, or that it will be further accessed or disclosed. Further, CoPilot has no reason to believe that the information accessed by this individual will be used in any way to cause you financial harm.
1 This same website may have been accessed through www.orthovischcp.com.
To help relieve concerns and restore con dence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for one year. Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained an unintentional exposure of con dential data. Your identity monitoring services include Credit Monitoring, Identity Consultation, and Identity Restoration.
Visit kroll.idMonitoringService.com to enroll and take advantage of your identity monitoring services. Membership Number: <<Member ID>>
To receive credit services by mail instead of online, please call 1-855-205-6948. Additional information describing your services is included with this letter. Please note, the deadline to enroll in these services is April 20, 2017.
What you can do.
Please review the enclosed “Additional Resources” section included with this letter. This section describes additional steps you can take to help protect yourself, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit le.
Please be sure to regularly check your nancial institution statements, account statements, and any other relevant accounts for possible unauthorized activity, and immediately contact your institution to report any suspicious activity.
For more information.
If you have questions, please call 1-855-205-6948, Monday through Friday from 9:00 a.m. to 6:00 p.m. Eastern Time. Please have your membership number ready.
Protecting your information is important to us. We trust that the services we are offering to you demonstrate our continued commitment to your security and satisfaction.
General Counsel, CoPilot