Earlier this month, New York Attorney General Eric Schneiderman announced his state had entered into a settlement with CoPilot Provider Support Services, Inc. (CoPilot)—a settlement resulting from CoPilot’s violation of the data breach notification requirements of the New York General Business Law (GBL) that requires companies, among other things, to provide notice of a breach as soon as possible. Under the terms of the settlement, CoPilot, which operates a website physicians use to determine whether certain medications are covered by insurance, must pay a $130,000 fine, update its relevant policies and procedures to ensure compliance with New York’s consumer protection and data security laws, and train all of its officers, managers, and employees as to their duties in making certain CoPilot complies with the GBL and provides timely notice to any consumers affected by a data breach.
Here, CoPilot violated the GBL by waiting for more than one year, to notify consumers that the security of their data had been breached as a result of a cyberattack in October 2015—one in which the attacker accessed confidential patient reimbursement data stored by CoPilot, including names, addresses, phone numbers, birth dates, and medical insurance information. Although CoPilot notified the FBI of the breach, which began an investigation in February 2016, CoPilot waited until January 2017 before notifying affected consumers.
When one learns of data breaches involving healthcare services providers, one’s initial thought is often the notification requirements under the federal HIPAA or HITECH breach notification rule. However, the above matter serves as a valuable reminder that one needs also to be mindful of and comply with state law requirements, especially considering that all but two states have enacted their own breach notification rules relating to more than just personal health information.