Health IT company pays $130K to resolve delayed data breach notification

A health IT company that provides support services for providers will pay $130,000 in penalties after it took more than a year to report a data breach that compromised more than 220,000 patient records.

CoPilot Provider Support Services, Inc. agreed to a settlement with New York Attorney General Eric T. Schneiderman nearly six months after reporting the breach. The company, which operates a website that helps providers identify insurance coverage for medications, suffered a data breach in October 2015, but failed to report it to patients until January 2017.

In January’s announcement, CoPilot said it launched a “comprehensive cybersecurity investigation” and determined no financial information or medical records were accessed.

According to the New York Attorney General’s Office, CoPilot blamed the delay on an ongoing FBI investigation, but the state argued that the law enforcement agency never told the company to hold off reporting. As part of the agreement, CoPilot acknowledged that it cannot postpone a breach report “unless explicitly directed in writing” by law enforcement.

“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” Schneiderman said in an announcement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

RELATED: Healthcare organizations are reporting breaches faster as feds tighten enforcement

In a statement to FierceHealthcare, CoPilot said it is “pleased to have closed this matter,” adding that once it learned of the breach, it “took necessary steps as part of our commitment to safeguarding patient information.”

“Given the complexity of these types of events, CoPilot's investigation involved a lengthy process working closely with law enforcement to assess this incident, including what information and who may have been affected,” the company said. “In addition to our coordination with law enforcement, we also worked quickly to implement additional security measures in order to contain the incident and further protect our system. As of January 18, we have notified all impacted patients.”

Hospitals and HIPAA-covered entities are required to report a breach within 60 days of discovery. Compliance with that timeline has improved recently as the Department of Health and Human Services has stepped up enforcement.  

The CoPilot incident has been mired in oddities. According to an earlier report by, John Witkowski, the company’s former vice president of marketing and sales, was the individual that accessed the system and alerted individuals listed on the site that CoPilot’s lax security protocols left a database of patient information exposed. Witkowski also filed a complaint with the HHS Office for Civil Rights (OCR) in December 2015.

RELATED: HHS is considering changes to OCR’s 'wall of shame'—and experts are divided on the impact

Furthermore, the breach is not listed on the OCR’s breach portal website. In a letter (PDF) sent to New Hampshire Attorney General Joseph Foster, CoPilot General Council Caleb DesRosiers said although the company “maintains it is not a HIPAA-covered entity or business associate,” it has reported the breach to OCR.

CoPilot did not respond to questions regarding whether it reported the incident to OCR.