25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Texas Patients Just Informed of 2015 CoPilot Data Breach

Posted By on Oct 4, 2017

Patients of a Texas orthopedic clinic are just finding out that some of their protected health information was exposed in a 2015 CoPilot data breach.

In October 2015, a website maintained by CoPilot Provider Support Services was accessed by an unauthorized individual. That individual gained access to, and downloaded, the PHI of more than 220,000 patients. The website was used by providers to find out whether two drugs – ORTHOVISC® and MONOVISC® – were covered by the patients’ health insurance.

CoPilot discovered its website had been breached on December 23, 2015, and launched an investigation. The individual who accessed the data was identified and the matter was reported to law enforcement. No information was believed to have been accessible by the public.

While the incident was resolved, CoPilot delayed issuing breach notifications until January 2017. That delay resulted in a $130,000 fine from the New York Attorney General in June 2017.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

It has been two years since the breach, and eight months from when notifications were issued, but some breach victims are only just discovering they have been impacted. 653 patients of Kraig R. Pepper, D.O., P.A. were only notified of the breach in late September.

Dr. Pepper did not become aware of the breach until July 31, 2017, when he found out some of his patients’ data had been exposed in the 2015 CoPilot data breach. The breached information did not include any medical records, X-rays, or test results held by Dr. Pepper, only information that was provided to DePuy Mitek, Inc., the company from which the drugs were purchased. The information disclosed to that company and was exposed included names, addresses, Social Security numbers, dates of birth, phone numbers, gender, ID numbers, Group numbers, medical insurance information, prescription information, and some clinical information.

While there has been a considerable delay in receiving notification, affected patients have been offered identity theft protection services without charge for 12 months.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist