More than 220,000 patients’ data stored by CoPilot was breached in October 2015. But the company, which provides physicians with insurance-coverage information about medications, didn’t alert those patients until January 2017. The breach was also not listed on HHS’ Office for Civil Rights’ Data Breach Portal, which lists breaches of protected health information that affected 500 ore more patients.
The gap between the breach and when the company alerted patients was a violation of a state law that mandates companies notify about breaches as soon as they can.
CoPilot stated that the gap was because of an FBI investigation, though the FBI never told the company to hold off on notifying patients. The settlement includes instruction that CoPilot should, in the future, never wait to notify of breaches unless instructed to do so in writing by law enforcement.
Along with the payment, the settlement with New York attorney general Eric Schneiderman also stipulates that the company will revise its policies to make sure they comply with state law.
Related content
Rachel Arndt joined Modern Healthcare in 2017 as a general assignment reporter. Her work has appeared in Popular Mechanics, Quartz, Fast Company, and elsewhere. She has MFAs in nonfiction and poetry from the University of Iowa and a bachelor’s degree from Brown.