Health IT company CoPilot agrees to $130k settlement after delayed breach notification

CoPilot Provider Support Services will pay $130,000 in penalties and reform its legal compliance program as part of a settlement to resolve allegations the company illegally deferred notifying more than 221,178 patients of breached records, New York Attorney General Eric T. Schneiderman announced June 15.

The Hyde Park, N.Y.-based health IT company provides support services to the healthcare industry through a website physicians can use to determine insurance coverage for certain medications. An unauthorized individual allegedly gained access to confidential patient reimbursement data via the website's administration interface Oct. 26, 2015, and downloaded records of 221,178 patients. These records may have included names, dates of birth and Social Security numbers, among other information.

CoPilot did not provide formal notice to affected New York patients until Jan. 18, 2017, more than one year after the company discovered the breach. CoPilot asserted the delay was due to an ongoing law enforcement investigation, however, the FBI — which launched an investigation into the incident at CoPilot's request in February 2016 — had not instructed the company to delay notification. This delay reportedly violated general business law in the state, which requires companies to provide notice of a breach as soon as possible.

"Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs," Mr. Schneiderman said. "Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers' private information."

Editor's note: Becker's Hospital Review reached out to CoPilot Provider Support Services for comment and will update as more information is available.

More articles on health IT:
DOD needs top talent to address cyberthreats, acting CIO says
One-third of execs trust automated systems more than humans for cybersecurity
198M affected in largest exposure of voter information: 5 things to know


© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Top 40 Articles from the Past 6 Months