A data breach that happened in the second half of 2015 should have seen targeted people warned within 2 months. However it took CoPilot Provider Support Services Inc., until January 2017 to send out official breach notifications.
An administration portal controlled by CoPilot was accessed by an unauthorized person on October 26, 2015. That person also stole the data of 221,178 people. The stolen data included names, dates of birth, phone numbers, addresses and medical insurance information.
The person believed to have accessed the website and downloading data was a former worker at CoPilot. The company contacted the FBI in February 2016 to receive assistance with the breach investigation and establish the identity of the unauthorized person.
However, breach notifications were not issued by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to complete their investigation of the breach; however, since CoPilot was aware that reimbursement-related records had been obtained, notifications should have been sent out sooner. Further, law enforcement did not direct CoPilot to delay the issuing of breach notifications as doing so would not have obstructed the investigation.
There is some debate as to whether CoPilot is a HIPAA covered organization. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is a HIPAA covered organization, it would be necessary for breach notifications to be sent to OCR within 60 days of the discovery of the breach.
OCR is investigating and trying to rule whether CoPilot is classed as a business associate and therefore must adhere to HIPAA Rules. If OCR determines CoPilot is a HIPAA-covered organization, the decision may be taken to issue a fine for the delayed violation notifications. Earlier in 2017, OCR fined Presense Health $475,000 for delaying breach notifications for three months. A fine for CoPilot would likely be much higher considering the number of people impacted by the breach and the duration of the delay.
HIPAA fines may or may not arise from the notification delay, but the New York attorney general has now begu taking steps to address it. On Thursday last week, Eric Schneiderman revealed that CoPilot has been fined $130,000 for the breach notification delay, not for a breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law requires businesses to send timely breach notifications to people impacted by a data violation. In addition to the fine, CoPilot is required to improve its notification and legal compliance measures.
While revealing the fine, Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” before going on to add that “Waiting over a year to provide notice is unacceptable.”
The financial penalty sends a warning to all businesses that breach notification delays will not be tolerated on any level. Schneiderman commented “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”