The Department of Justice (DOJ) recently announced a settlement with CoPilot Provider Support Services, a New York corporation that provides support services to the healthcare industry, after the company waited more than a year to provide notice of a data breach that exposed 221,178 patient records.
The company said it delayed reporting because of an ongoing FBI investigation, but the settlement makes clear that the government expects covered entities to comply with reporting requirements unless explicitly asked to delay reporting by law enforcement.
CoPilot agreed to pay $130,000 in penalties and improve its notification and legal compliance program, according to the DOJ.
Physicians use CoPilot’s website to determine insurance coverage for certain medications. An unauthorized person gained access to confidential patient reimbursement data via CoPilot’s administration interface, PHPMyAdmin, on Oct. 26, 2015, the DOJ explained. The intruder downloaded reimbursement-related records for 221,178 patients — including names, gender, dates of birth, addresses, phone numbers, and medical insurance card information. Of the patients affected, 25,561 were residents of New York; 11,372 of the New York patients’ records also included Social Security numbers.
In mid-February 2016, the FBI opened an investigation at CoPilot’s request, focusing on a former employee whom the company believed was the intruder.
On Jan. 18, 2017, CoPilot provided formal notice to affected consumers in New York. The notifications were issued more than one year after CoPilot learned of the breach of patient data.
“Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications,” the DOJ said. “General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.”
CoPilot agreed to pay $130,000 in penalties and strengthen its HIPAA compliance program. The agreement also states that, in the future, the company should not delay breach notification to consumers, “unless explicitly directed in writing by an authorized law enforcement official investigating the incident for criminal prosecution, in which that consumer notice of the incident would impede the investigation. In such an event, CoPilot must request a date when notification can be provided, and if a date is not forthcoming, maintain contact with the law enforcement agency until approval for notification pursuant to GBL § 899-aa is provided.”