Provider services vendor CoPilot agrees to a breach settlement
The state of New York has reached a legal settlement with CoPilot Provider Support Services, after the state charged that the vendor, which provides a variety of services to healthcare organizations, didn’t notify more than 220,000 patients in a timely manner that their protected health information had been compromised.
Under terms of the settlement, CoPilot will pay a $130,000 fine and improve its notification and legal compliance programs.
“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” New York Attorney General Eric Schneiderman said in a statement. “Waiting over a year to provide notice is unacceptable.”
CoPilot serves the life sciences and healthcare provider sectors in many ways. Its services and products include software integration, data analytics and dashboards, e-prescribing, web portals, sales training, clinical trials and reimbursement support, among other offerings.
CoPilot did not respond to a request for comment on the charge or settlement.
The company operates a web site that physicians use to verify if a medication is covered by a patient’s insurance plan. In October 2015, an intruder accessed the web site and downloaded reimbursement-related data on 221,178 patients. Compromised information included names, gender, dates of birth, addresses, phone numbers and insurance information.
The compromised data included that of 25,561 residents of New York state, with 11,372 of the residents also having their Social Security numbers compromised—that gave Schneiderman’s office the authority to investigate the breach.
The FBI also investigated at CoPilot’s request. However, the New York attorney general office contends that patient notification didn’t begin until January 2017.
“Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation and never instructed CoPilot to delay victim notifications,” according to Schneiderman, who further charged that state law requires notification as soon as possible.
Under the settlement, all officers, managers and employees of CoPilot will receive legal compliance training, and the company in the future should not delay notification of a breach unless explicitly directed by law enforcement.