A data breach that happened in October 2015 should have seen affected people notified within 8 weeks. However, it took CoPilot Provider Support Services Inc., until early 2017 to issue data breach notifications.
An administration online portal controlled by CoPilot was accessed by an unauthorized person on October 26, 2015. That individual also obtained the data of 221,178 people. The stolen data included personal data including names, dates of birth, phone numbers, addresses, and medical insurance details.
The person believed to be responsible for accessing the website and downloading data was a former member of staff. CoPilot contacted the FBI in February 2016 for assistance with the breach investigation and to help establish the identity of the unauthorized individual.
Despite this, notifications were not sent by CoPilot until January 18, 2017. CoPilot claims the delay was due to the amount of time that it took the FBI to investigate the breach. However, since CoPilot was aware that reimbursement-related records had been obtained, notifications should have been sent sooner to comply with their obligations. In addition to this, the FBI did not instruct CoPilot to delay the issuing of breach notifications as this would not have impeded the investigation.
There has been some discussion as to whether CoPilot is a HIPAA covered body. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was issued by the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is deemed a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the data breach.
OCR is investigating and trying to determine whether CoPilot is deemed as a business associate and therefore must be in compliance with HIPAA Rules. If OCR determines this is the case, the decision may be taken to issue a financial penalty for the delayed data breach notifications. Previously this year, OCR fined Presense Health $475,000 for delaying data breach notifications for 12 weeks. A fine for CoPilot would likely be much higher considering the number of individuals impacted by the data breach and the length of the delay.
HIPAA financial penalties may or may not result from the notification delay, but the New York attorney general has now taken action. Last week, Eric Schneiderman revealed that CoPilot has been fined $130,000 for the breach notification delay, not for a data breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law obliges businesses to send timely breach notifications to customers impacted by a data breach. In addition to the fine, CoPilot must improve its notification and legal compliance program.
Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”
The financial penalty sends a warning to all businesses that unnecessary breach notification delays will not be permitted. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”