Late Breach Notification Ends Up With Hefty NY State PenaltyHealthcare Administrative and IT Services Firm Smacked with $130,000 in Penalties
A settlement between the state of New York and a company that provides support services to the healthcare sector serves as a reminder about timely breach notification, including when law enforcement agencies are investigating the incident.
See Also: HIPAA Audits: A Revised Game Plan
New York State Attorney General Eric Schneiderman, in a June 15 statement, said CoPilot Provider Support Services, a New York company that provides healthcare administrative and IT services, agreed to pay $130,000 in penalties after violating the state's General Business Law by waiting more than a year to provide notice of a data breach exposing 221,178 patient records.
"Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs," Schneiderman says. "Waiting over a year to provide notice is unacceptable."
That includes many other cases like the CoPilot incident - where breaches are under investigation by law enforcement. "One of the key issues [in the CoPilot case] is the length of time the organization took to notify the individuals affected by the incident," says privacy attorney David Holtzman, vice president of compliance of security consulting firm CynergisTek. "Without documentation of a written request by a law enforcement official to delay notification and reporting because it would impede an investigation, the company lacks the documentation required to excuse the delay in notification for over a year."
CoPilot's website is used by physicians to help determine whether a patient's insurance coverage is available for certain medications.
According to the AG, an unauthorized individual gained access to confidential patient reimbursement data of CoPilot on Oct. 26, 2015, via the website administration interface, PHPMyAdmin. The intruder downloaded reimbursement-related records for 221,178 patients - including their name, gender, date of birth, address, phone number and medical insurance card information. Of the patients affected, 25,561 were residents of New York; 11,372 of the New York patients' records also included Social Security numbers.
In mid-February 2016, at CoPilot's request, the FBI opened an investigation into the breach, focusing on a former CoPilot employee whom the company believed was the alleged intruder. However, CoPilot did not begin providing formal notice to affected consumers in New York until this past Jan. 18.
"Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation and never instructed CoPilot to delay victim notifications," the AG says, adding that state law requires companies to provide notice of a breach as soon as possible. "A company cannot presume delayed notification is warranted just because a law enforcement agency is investigating."
Improving Security Practices
In addition to the financial settlement, CoPilot has agreed to improve its notification and legal compliance program. That includes training of all CoPilot officers, managers and employees as to their roles and responsibilities in ensuring that CoPilot complies with New York state's breach notification law.
The agreement also states that CoPilot should not delay providing notification of a breach to consumers, unless explicitly directed in writing by an authorized law enforcement official investigating the incident for criminal prosecution, in which that consumer notice of the incident would impede the investigation. "In such an event," Schneiderman says, "CoPilot must request a date when notification can be provided, and if a date is not forthcoming, maintain contact with the law enforcement agency until approval for notification pursuant to [state law] is provided."
CoPilot in a statement to Information Security Media Group says it has taken action to bolster its security practices in the wake of the incident.
"Once we learned of the issue, we implemented additional security measures and took necessary steps as part of our commitment to safeguarding patient information," the CoPilot statement says. "Given the complexity of these types of events, CoPilot's investigation involved a lengthy process working closely with law enforcement to assess this incident, including what information and who may have been affected. ... In addition to our coordination with law enforcement, we also worked quickly to implement additional security measures in order to contain the incident and further protect our system."
Lessons for Others
Privacy attorney Kirk Nahra says that it appears CoPilot is neither a covered entity nor business associate that would be regulated under the HIPAA breach notification rule. Those rules call for notification within 60 days of incidents impacting 500 or more individuals.
"My guess is that the doctors are searching [on CoPilot's website] by plan, not by patient," Nahra says. "The site has registered users who are patients who are getting some kind of benefit from the drug company so probably no HIPAA involvement at all."
Regardless of whether a security incident falls under the federal HIPAA regulations, all health related organizations - including HIPAA covered entities and business associates - need to be mindful of state breach reporting requirements. "State breach laws have a much more limited set of data elements that they cover - most states cover only Social Security numbers, credit cards, bank accounts," Nahra says. "Only a few [state laws cover] health information [so organizations] always have to think about state law implications - the state laws cover residents of a state, so it may involve many states."
Nahra points out that most state do not act when they're provided notice. "But, if there's an easy way to show you didn't meet your notice obligations, that's an easy case to bring and law enforcement will bring it," he says. "I'm not talking about being a day or two late - this [CoPilot] case seems to have been a really long time overdue."
In cases being investigated by the FBI or other law enforcement agencies, "unless you have some specific request from law enforcement - that you can document if needed - that shouldn't delay the notice," Nahra says. "Or, if you are confused, go to the [state] AG and talk with them."
Holtzman points out that getting documentation from law enforcement officials about the delay of breach notification also pertains to HIPAA breach reporting.
Under the HIPAA breach notification rule, if a law enforcement official informs an entity that any potential breach reported to the government or individual would impeded a criminal investigation or harm national security, the entity must delay reporting the breach for the time the law enforcement official requests in writing, or for 30 days if the request is made orally.
"It is crucial to document communications with law enforcement and to understand ... the length of any allowable delay for reporting to state and federal regulators," Holtzman says.