[BreachExchange] Health IT company pays $130, 000 to resolve delayed data breach notification

[Audrey McNeil]

http://www.fiercehealthcare.com/privacy-security/health-
it-company-pays-130-000-for-delayed-data-breach-notification

A health IT company that provides support services for providers will pay
$130,000 in penalties after it took more than a year to report a data
breach that compromised more than 220,000 patient records.

CoPilot Provider Support Services, Inc. agreed to a settlement with New
York Attorney General Eric T. Schneiderman nearly six months after
reporting the breach. The company, which operates a website that helps
providers identify insurance coverage for medications, suffered a data
breach in October 2015, but failed to report it to patients until January
2017.

In January’s announcement, CoPilot said it launched a “comprehensive
cybersecurity investigation” and determined no financial information or
medical records were accessed.

According to the New York Attorney General’s Office, CoPilot blamed the
delay on an ongoing FBI investigation, but the state argued that the law
enforcement agency never told the company to hold off reporting. As part of
the agreement, CoPilot acknowledged that it cannot postpone a breach report
“unless explicitly directed in writing” by law enforcement.

"When 221K patient records were exposed, a NY healthcare co. illegally
waited over a year to provide notice. I'm holding them accountable.
pic.twitter.com/iN8qrXJU9d

 — Eric Schneiderman (@AGSchneiderman) June 15, 2017

“Healthcare services providers have a duty to protect patient records as
securely as possible and to provide notice when a breach occurs,”
Schneiderman said in an announcement. “Waiting over a year to provide
notice is unacceptable. My office will continue to hold businesses
accountable to their responsibility to protect customers’ private
information.”

In a statement to FierceHealthcare, CoPilot said it is “pleased to have
closed this matter,” adding that once it learned of the breach, it “took
necessary steps as part of our commitment to safeguarding patient
information.”

“Given the complexity of these types of events, CoPilot's investigation
involved a lengthy process working closely with law enforcement to assess
this incident, including what information and who may have been affected,”
the company said. “In addition to our coordination with law enforcement, we
also worked quickly to implement additional security measures in order to
contain the incident and further protect our system. As of January 18, we
have notified all impacted patients.”

Hospitals and HIPAA-covered entities are required to report a breach within
60 days of discovery. Compliance with that timeline has improved recently
as the Department of Health and Human Services has stepped up enforcement.

The CoPilot incident has been mired in oddities. According to an earlier
report by DataBreaches.net, John Witkowski, the company’s former vice
president of marketing and sales, was the individual that accessed the
system and alerted individuals listed on the site that CoPilot’s lax
security protocols left a database of patient information exposed.
Witkowski also filed a complaint with the HHS Office for Civil Rights (OCR)
in December 2015.

Furthermore, the breach is not listed on the OCR’s breach portal website.
In a letter (http://www.doj.nh.gov/consumer/security-breaches/
documents/copilot-provider-support-services-20170118.pdf) sent to New
Hampshire Attorney General Joseph Foster, CoPilot General Council Caleb
DesRosiers said although the company “maintains it is not a HIPAA-covered
entity or business associate,” it has reported the breach to OCR.

CoPilot did not respond to questions regarding whether it reported the
incident to OCR.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170615/79a169ac/attachment.html>