Healthcare service provider CoPilot Support Services (“CoPilot”) recently agreed to pay a $130,000 settlement after it waited over a year to notify patients of a data breach, in violation of New York’s breach notification law. The settlement highlights the need for covered entities to ensure compliance with state breach notification laws, which may impose stricter notice requirements than federal law, in addition to ensuring compliance with HIPAA. Likewise, as the New York Attorney General indicated in its press release about this matter, covered entities should not delay notifying consumers of a breach “unless explicitly directed in writing by an authorized law enforcement official” in cases where such notice would impede an ongoing investigation.

CoPilot provides physicians with insurance coverage information for certain medications through a web portal. In October 2015, an unauthorized individual gained access to protected patient reimbursement data via the company’s website administration interface. The breach involved records for 221,178 patients, including 25,561 New York residents. The Federal Bureau of Investigation opened an investigation at CoPilot’s request in mid-February 2016, focusing on a former employee suspected of stealing the data. On January 18, 2017, CoPilot began to provide notification to affected individuals in New York.

The New York Attorney General faulted CoPilot’s decision to wait more than one year to notify patients. CoPilot argued that it delayed notification due to the FBI’s ongoing investigation. However, the Attorney General found the delay unwarranted because the FBI never determined that personal notification would compromise the investigation nor did it instruct CoPilot to delay notification. According to the NY Attorney General: “General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.” By contrast, HIPAA requires covered entities to notify individuals without unreasonable delay and no later than 60 days following the discovery of a breach. Although many states also have an “as soon as practical” standard for breach notification, several states require notification to be sent earlier than 60 days, and HIPAA requires compliance with the more stringent requirement.

In addition to the $130,000 penalty, CoPilot agreed to ensure and monitor compliance with New York’s data security laws, to update its data security policies and procedures, and to provide data security training as part of its legal compliance program.