Following its delay in notifying patients affected by a data breach, CoPilot Provider Support Services will pay $130,000 as a condition of its settlement with New York Attorney General Eric Schneiderman, according to a post on Modern Healthcare.
Data on 220,000 patients stored by CoPilot was compromised in October 2015. However, the company – which offers information to doctors and health care providers about insurance coverage on pharmaceuticals – did not notify those affected until January 2017. The exposure also was not reported to the Breach Notification Portal maintained by the U.S. Department of Health and Human Services Office for Civil Right, as required by section 13402(e)(4) of the HITECH Act for breaches affecting 500 or more individuals.
The delay constituted a violation of the state law, the report stated. CoPilot maintained that the delay was owing to an FBI investigation, though the FBI, it was reported, did not instruct the company to not notify the patients.
“The settlement includes instruction that CoPilot should, in the future, never wait to notify of breaches unless instructed to do so in writing by law enforcement,” the story stated.
In addition to the fine, the settlement requires that CoPilot alter its policies to maintain compliance with state laws.