CoPilot Provider Support Services, Inc. has agreed to pay $130,000 in penalties as part of a settlement with the New York Attorney General’s Office for waiting over a year to provide customers with notice of a breach that exposed more than 220,000 patient records. The AG’s office announced the settlement on June 15.

CoPilot maintained a web-based portal through which physicians could determine whether a patient’s insurance would cover certain products. In October 2015, an intruder accessed CoPilot’s database of reimbursement-related records and downloaded personal information including name, gender, date of birth, medical insurance card information and, in some instances, social security number. CoPilot discovered the breach in December 2015 but did not provide formal notice to affected customers until January 2017. Under New York General Business Law §899-aa, a business that maintains computerized data including private information must notify the owner of the information of any breach of the security of the system immediately following discovery.

Under the HIPAA Breach Notification Rule, breaches affecting more than 500 individuals must be reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days of discovery, and such breaches are published on a public list of data breaches. According to reports, CoPilot did communicate with OCR regarding the breach but has maintained that it is not subject to HIPAA requirements because it is not a “covered entity” or a “business associate” as defined under HIPAA. CoPilot’s data breach does not currently appear on OCR’s public list of data breaches.

This settlement serves as a reminder that covered entities and business associates must consider state reporting requirements in addition to HIPAA when implementing compliance programs and responding to breaches involving sensitive patient information.