CoPilot Texas-based Texas Patients Just Informed of 2015 Breach

Texas orthopedic clinic CoPilot are just now informing their patients that their protected health information may have been exposed in a 2015 CoPilot data breach.

In October 2015, an online portal managed by CoPilot Provider Support Services was accessed by an unauthorized person. That person gained access to, and downloaded, the private date of more than 220,000 patients. The website was used by patients to find out if either of two drugs – ORTHOVISC® and MONOVISC® – were included in the patients’ health cover.

CoPilot found out that its website had been breached on December 23, 2015, and began an investigation. The person who obtained the data was identified and the issue was reported to law enforcement agencies. No information was thought to have been accessible by the public.

While the incident was settled, CoPilot delayed sending out breach notifications until January 2017. That delay lead to a $130,000 fine from the New York Attorney General being applied in June 2017.

It has been two years since the breach occurred, and eight months from when notifications were sent out, but some breach victims are only just finding out that they have been impacted. 653 patients of Kraig R. Pepper, D.O., P.A. were only warned of the breach in late September.

Dr. Pepper did not find out about the breach until July 31, 2017, when he discovered some of his patients’ data had been exposed in the 2015 CoPilot data violation. The breached data did not include any medical records, X-rays, or test results stored by Dr. Pepper, only information that was supplied to DePuy Mitek, Inc., the firm from which the drugs were bought. The information supplied to that company and was exposed included names, addresses, Social Security numbers, dates of birth, phone numbers, gender, ID numbers, Group numbers, medical insurance information, prescription information, and some clinical data.

While there has been a significant delay in receiving notification, affected people have been offered identity theft protection services for free for one year.