Healthcare Information Security

Patient Privacy News

$130K NY State Settlement from Late Data Breach Notification

The New York Attorney General’s office announced a $130,000 settlement with a healthcare services company stemming from lackluster data breach notification.

Late data breach notification led to a settlement with the New York Attorney General's office.

Source: Thinkstock

By Elizabeth Snell

- CoPilot Provider Support Services, Inc. recently agreed to a $130,000 settlement with New York after the company was found to have violated state data breach notification law, according to the New York Attorney General’s office.

CoPilot provides healthcare support services, and waited over one year to provide notice that a data breach exposed 221,178 patient records, the AG statement explained.

“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” Attorney General Schneiderman said in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.” 

CoPilot released a statement on the incident in question in January 2017. A database had been accessed by an unauthorized party, potentially compromising the data of professionals and patients who had information stored in the database, according to CoPilot’s statement.  

The organization said it learned of the incident on December 23, 2015. It then launched an investigation and implemented additional security measures. CoPilot said it determined that no financial information, medical treatment records or other sensitive information was accessed.

Along with providing notification letters, CoPilot offered identity theft protection services to those who may have been impacted. Individuals were also encouraged to carefully monitor their financial institution statements, account statements, and other relevant accounts for any unauthorized activity.

CoPilot maintained that the data breach notification delay was due to an ongoing law enforcement investigation. However, the New York AG office stated that “the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications.” 

“General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating,” the AG office explained.

Along with paying the $130,000 in penalties, CoPilot must also comply with New York’s consumer protection and data security laws, Executive Law § 63(12) and GBL § 899-aa, and update relevant policies and procedures to ensure compliance with GBL § 899-aa.

“[CoPilot’s] legal compliance program must include training of all officers, managers, and employees of CoPilot as to their roles and responsibilities in ensuring that CoPilot complies with GBL § 899-aa and provides timely notices to affected consumers in the event of a breach,” the AG statement read.

Going forward, CoPilot will not delay data breach notification to customers unless it is specifically instructed to do so by an authorized law enforcement official.

“In such an event, CoPilot must request a date when notification can be provided, and if a date is not forthcoming, maintain contact with the law enforcement agency until approval for notification pursuant to GBL § 899-aa is provided,” the AG office wrote.

Failure to provide timely data breach notification can result in fines at the state and federal level.  

In January 2017, healthcare network Presence Health agreed to a $475,000 OCR HIPAA settlement following a reported data breach and a delayed breach notification process.

The original incident occurred on October 22, 2013, but Presence submitted a breach notification report to OCR on January 31, 2014.

“Presence Health failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and OCR,” the OCR investigation found.

Then-OCR Director Jocelyn Samuels explained that covered entities need to have a clear policy on the HIPAA Breach Notification Rule.

“Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach,” Samuels said in a statement.

The Presence St. Joseph Medical Center said that there was a delay in the notification process because of miscommunications between its workforce members.  

Presence had also submitted data breach reports involving breaches affecting fewer than 500 individuals in 2015 and 2016. HHS explained that after reviewing those reports, it found that “the Presence Health entities had failed to provide timely written breach notifications to the individuals whose PHI had been compromised as a result of those breaches.” 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks