CoPilot Fined $130,000 by NY AG for Delayed Breach Notification

by | Jun 20, 2017

A data breach that happened in October 2015 should have seen affected people notified within 8 weeks. However, it took CoPilot Provider Support Services Inc., until early 2017 to issue data breach notifications.

An administration online portal controlled by CoPilot was accessed by an unauthorized person on October 26, 2015. That individual also obtained the data of 221,178 people. The stolen data included personal data including names, dates of birth, phone numbers, addresses, and medical insurance details.

The person believed to be responsible for accessing the website and downloading data was a former member of staff. CoPilot contacted the FBI in February 2016 for assistance with the breach investigation and to help establish the identity of the unauthorized individual.

Despite this, notifications were not sent by CoPilot until January 18, 2017. CoPilot claims the delay was due to the amount of time that it took the FBI to investigate the breach.  However, since CoPilot was aware that reimbursement-related records had been obtained, notifications should have been sent sooner to comply with their obligations. In addition to this, the FBI did not instruct CoPilot to delay the issuing of breach notifications as this would not have impeded the investigation.

There has been some discussion as to whether CoPilot is a HIPAA covered body. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was issued by the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is deemed a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the data breach.

OCR is investigating and trying to determine whether CoPilot is deemed as a business associate and therefore must be in compliance with HIPAA Rules. If OCR determines this is the case, the decision may be taken to issue a financial penalty for the delayed data breach notifications. Previously this year, OCR fined Presense Health $475,000 for delaying data breach notifications for 12 weeks. A fine for CoPilot would likely be much higher considering the number of individuals impacted by the data breach and the length of the delay.

HIPAA financial penalties may or may not result from the notification delay, but the New York attorney general has now taken action. Last week, Eric Schneiderman revealed that CoPilot has been fined $130,000 for the breach notification delay, not for a data breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law obliges businesses to send timely breach notifications to customers impacted by a data breach. In addition to the fine, CoPilot must improve its notification and legal compliance program.

Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”

The financial penalty sends a warning to all businesses that unnecessary breach notification delays will not be permitted. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy