As part of a settlement with the New York attorney general, CoPilot Provider Support Services will pay $130,000 in penalties for waiting more than a year to notify hundreds of thousands of patients of a data breach.
More than 220,000 patients' data stored by CoPilot was breached in October 2015. But the company, which provides physicians with insurance-coverage information about medications, didn't alert those patients until January 2017. The breach was also not listed on HHS' Office for Civil Rights' Breach Notification Portal, which lists breaches of protected health information that affected 500 or more patients.
The gap between the breach and when the company alerted patients was a violation of a state law that mandates companies notify about breaches as soon as they can.
CoPilot stated that the gap was because of an FBI investigation, though the FBI never told the company to hold off on notifying patients. The settlement includes instruction that CoPilot should, in the future, never wait to notify of breaches unless instructed to do so in writing by law enforcement.
Along with the payment, the settlement with New York Attorney General Eric Schneiderman also stipulates that the company will revise its policies to make sure they comply with state law.