Most states have laws requiring companies to notify those affected by a data breach. When the company that suffered the breach delays notification, New York, like other states, takes enforcement action.

In one recent case, N.Y. State Attorney General Eric T. Schneiderman announced a settlement with CoPilot Provider Support Services, Inc. (CoPilot), a New York corporation that provides support services to the health industry, after the company violated the state's General Business Law by waiting more than a year to provide notice of a data breach that exposed 221,178 patient records. As part of the settlement, CoPilot has agreed to pay $130,000 in penalties and to improve its notification and legal compliance program.

"Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs," said Attorney General Schneiderman. "Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers' private information."

Of the patients affected, 25,561 were residents of New York; 11,372 of the New York patients' records also included Social Security numbers. 

|

CoPilot's turbulent timeline

On Oct. 26, 2015, an unauthorized individual gained access to confidential patient reimbursement data of CoPilot via the website administration interface, PHPMyAdmin. In mid-February 2016, the FBI opened an investigation at CoPilot's request, focusing on a former CoPilot employee whom CoPilot believed was the intruder. 

On Jan. 18, 2017, CoPilot began to provide formal notice to affected consumers in New York. The notifications were issued more than one year after CoPilot learned of the breach of patient data. Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation and never instructed CoPilot to delay victim notifications. N.Y. General Business Law Section 899-aa requires companies to provide notice of a breach as soon as possible, and a company can't presume delayed notification is warranted just because a law enforcement agency is investigating.

Related: Mega-Cyber Attacks in the Cards?

|

The ruling is in 

Along with the $130,000 in penalties, CoPilot has also has agreed to comply with New York's consumer protection and data security laws and to update relevant policies and procedures to ensure compliance with GBL Section 899-aa. Its legal compliance program must include training of all officers, managers and employees of CoPilot as to their roles and responsibilities in ensuring that CoPilot complies with the law and provides timely notices to affected consumers in the event of a breach. All officers and managers of CoPilot are required to review the obligations of the agreement.

The agreement also states that CoPilot should not delay providing notification of a breach to consumers unless explicitly directed in writing by an authorized law enforcement official investigating the incident for criminal prosecution, stating that consumer notice of the incident would impede the investigation. In that case, CoPilot must request a date when notification can be provided, and if a date is not forthcoming, maintain contact with the law enforcement agency until approval for notification is provided.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Denny Jacob

Denny Jacob is an associate editor for NU PropertyCasualty360. Contact him at [email protected].