CoPilot Provider Support Services, Inc. agreed to a $130k settlement with the State of New York after violating the state data breach notification law.

In a June 15 press release, the New York State Attorney General outlined the details about the $130k settlement with CoPilot Provider Support Services, Inc. More than 220,000 individuals were left in the dark for more than a year about the data breach.

CoPilot helps physicians determine whether insurance coverage is available for certain medications. Information was impermissibly accessed by an unauthorized individual on October 26, 2015. The individual downloaded information from 221,178 patients which included names, dates of birth, phone numbers, addresses, and medical insurance information, and some included social security numbers.

In February 2016, CoPilot contacted the Federal Bureau of Investigation (FBI) to focus on a former employee. On January 18, 2017, notices were sent to affected individuals. That’s more than one year after the breach was discovered. CoPilot states that this delay was in part due to the ongoing investigation, but the FBI never stated that notification would impede the investigation and never instructed CoPilot to withhold information.

New York law states that companies must provide notice as soon as possible and cannot assume that law enforcement will require delayed notification.

Consequently, CoPilot will need to pay the $130,000 fine. Additionally, CoPilot will need to update all breach notification policies and procedures to help ensure this does not happen again. Finally, the agreement requires CoPilot to not delay notification in the future and that delay should be addressed in writing by the involved law enforcement agency.

This case is a great reminder that covered entities and business associates must follow state regulations in addition to federal ones. It’s also a reminder that the fines can add up over time when a breach occurs.

Don’t leave your organization at risk! Start using HIPAAgps today to help you understand the federal HIPAA compliance regulations. Additionally, if you have any questions about state requirements, contact us and we can help you identify state information.