CoPilot Provider Services has reached a $130,000 settlement with New York state for delaying its HIPAA breach notification process.

NY Attorney General, Eric Schneiderman, determined that CoPilot unlawfully delayed HIPAA breach notification to 221,178 customers a full year after the initial breach took place.

Schneiderman’s office found that the data breach occurred in October of 2015 due to access by an unauthorized user. CoPilot stores confidential reimbursement data on clients’ patients. The investigation found that the unauthorized individual downloaded patient data, including names, dates of birth, addresses, phone numbers, and medical insurance account information.

The HIPAA breach notification process should have followed in a timely manner from there, however CoPilot didn’t notify its clients of the breach until January of 2017. The attorney general found that this was in violation of general business law. CoPilot contends that the breach notification was delayed due to an FBI investigation into the culprit. FBI investigators did not instruct CoPilot to delay breach notification.

“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” said Schneiderman in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

HIPAA Breach Notification Violation?

The Department of Health and Human Services (HHS) is currently determining if CoPilot is considered a business associate under HIPAA regulation.

A HIPAA business associate is an organization hired by a healthcare provider that handles protected health information (PHI) over the course of the work it’s been hired to provide. This includes IT services providers, practice management firms, attorneys, EHR platforms, shredding companies, and physical and cloud storage providers, to name a few.

Because the CoPilot data breach included the health insurance information of over 220,000 patients, it’s very likely that the organization will be considered a HIPAA business associate.

The HIPAA Breach Notification Rule sets specific federal guidelines for notifying patients about a data breach. When a breach includes more that 500 individuals’ records it’s considered “Meaningful.” Meaningful breaches must be reported within 60 days of discovery–that includes patient notification, local media notification, notice to local law enforcement, and a report to the Office for Civil Rights (OCR).

As per information released by the Office of the New York Attorney General, the one-year delay in breach notification did not comply with HIPAA standards.

HIPAA investigations typically take anywhere from 2-4 years to reach settlement, meaning that an announcement out of OCR could still be a long time coming.

In January of 2017, OCR reached its first HIPAA settlement for violation of the HIPAA Breach Notification Rule for $475,000. OCR typically sets precedents for future enforcement efforts early in the year, indicating that more settlements for violation of Breach Notification standards are likely on the horizon. Trends in HIPAA enforcement continue to evolve, and CoPilot could be another target in the months and years ahead.

Healthcare Compliance Software - CG

Prevent Healthcare Breaches

Don’t fall victim to breaches. Protect your business by becoming compliant today!