NYS settles with CoPilot Provider Services over delayed breach notification to 220,000 patients
There’s a follow-up to an incident reported by DataBreaches.net in January and February involving CoPilot Provider Services. As I had reported in January, CoPilot took more than one year to notify individuals of a breach involving their web site, and would not answer any questions as to why it took so long. As I subsequently reported in February, the incident may not have been as the firm first described it, and OCR was reportedly investigating. Whether HHS/OCR had any authority, however, was unclear, as the firm disputed that it was a covered entity or business associate.
HIPAA aside, the company apparently violated NYS law in terms of protecting data and making prompt notification. Today, NYS Attorney General announced a settlement with the firm:
Company Violated General Business Law That Requires Companies To Provide Notice Of A Breach As Soon As Possible
CoPilot Provider Support Services, Inc. Must Pay $130,000 In Penalties And Reform Its Legal Compliance Program
Schneiderman: Healthcare Services Providers Have A Duty To Protect Patient Records As Securely As Possible And To Provide Notice When A Breach Occurs
NEW YORK – Attorney General Eric T. Schneiderman today announced a settlement with CoPilot Provider Support Services, Inc. (“CoPilot”), a New York corporation that provides support services to the health industry, after the company violated General Business Law by waiting over a year to provide notice of a data breach that exposed 221,178 patient records. CoPilot has agreed to pay $130,000 in penalties and to improve its notification and legal compliance program.
“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” said Attorney General Schneiderman. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”
CoPilot’s website—www.monovischcp.com—is used by physicians to help determine whether insurance coverage is available for certain medications. On October 26, 2015, an unauthorized individual gained access to confidential patient reimbursement data of CoPilot via the website administration interface, PHPMyAdmin. The intruder downloaded reimbursement-related records for 221,178 patients—including their name, gender, date of birth, address, phone number, and medical insurance card information. Of the patients affected, 25,561 were residents of New York; 11,372 of the New York patients’ records also included social security numbers.
In mid-February 2016, the Federal Bureau of Investigation opened an investigation at CoPilot’s request, focusing on a former CoPilot employee whom CoPilot believed was the intruder.
On January 18, 2017, CoPilot began to provide formal notice to affected consumers in New York. The notifications were issued more than one year after CoPilot learned of the breach of patient data. Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications. General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.
Pursuant to the agreement, CoPilot has agreed to pay $130,000 in penalties. It also has agreed to comply with New York’s consumer protection and data security laws, Executive Law § 63(12) and GBL § 899-aa, and to update relevant policies and procedures to ensure compliance with GBL § 899-aa. Its legal compliance program must include training of all officers, managers, and employees of CoPilot as to their roles and responsibilities in ensuring that CoPilot complies with GBL § 899-aa and provides timely notices to affected consumers in the event of a breach. All officers and managers of CoPilot are required to review the obligations of the agreement.
The agreement also states that CoPilot should not delay providing notification of a breach to consumers, unless explicitly directed in writing by an authorized law enforcement official investigating the incident for criminal prosecution, in which that consumer notice of the incident would impede the investigation. In such an event, CoPilot must request a date when notification can be provided, and if a date is not forthcoming, maintain contact with the law enforcement agency until approval for notification pursuant to GBL § 899-aa is provided.
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Assistant Attorney General Jordan Adler, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.
Note that the press release does not indicate that law enforcement ever found the suspect employee at fault.
Nor is the incident up on HHS’s breach tool.
DataBreaches.net is attempting to get updated information on this case.