Share this article on:
An unauthorized individual has accessed and downloaded the highly sensitive information of approximately 220,000 osteoarthritis patients from a website database maintained by CoPilot Provider Support Services.
The website is used by physicians to determine whether ORTHOVISC® and MONOVISC® injections are covered by patients’ health insurance. The information entered via the website is added to a database maintained by CoPilot. That database was downloaded by an unauthorized individual, although according to a breach notice issued by CoPilot, the database was not accessible to the general public at any point.
While not explicitly stated in the breach notice, the wording suggests that the individual responsible for the breach was a former employee. CoPilot believes it identified the person responsible and details of its investigation were passed to law enforcement. CoPilot reports that the law enforcement investigation confirmed CoPilot’s conclusions to be correct.
While it is possible that data were accessed and downloaded with malicious intent, CoPilot does not believe the information was downloaded in order to commit fraud. This also points to an employee rather than a hacker.
The data downloaded was limited to names, genders, addresses, phone numbers, and medical insurance card information, although some individuals’ Social Security numbers were also copied.
Individuals impacted by the breach have been offered credit and identity monitoring services via Kroll for 12 months to protect them against fraudulent use of their information, although CoPilot has told patients it has no reason to believe that any of the downloaded information was misused, nor that it will be disclosed to other individuals.
The security incident came to light when CoPilot started to receive complaints claiming information uploaded to the website could be downloaded. An investigation was immediately initiated and a cybersecurity firm was retained to conduct a forensic investigation.
CoPilot issued a press release on January 18, 2017 announcing the security incident, notified the California Department of Justice on January 19, 2017, and started informing patients on or around the same date.
However, the timing of the breach notices is peculiar. CoPilot discovered the potential breach on December 23, 2015, yet it has taken over a year from discovery of the breach for breach notifications to be issued. CoPilot’s investigation revealed patient data were improperly downloaded in October 2015.
Under Health Insurance Portability and Accountability Act’s Breach Notification Rule, HIPAA-covered entities are required to issue data breach notifications to patients, Office for Civil Rights and the media within 60 days of the discovery of a breach.
The failure to comply with the Breach Notification Rule can result in financial penalties. OCR has recently agreed to settle potential HIPAA Breach Notification Rule violations with Presense Health after breach notifications to patients were delayed. Presense Health was required to pay OCR $475,000 for exceeding the Breach Notification Rule time limit by a month.
Office for Civil Rights investigates all breaches that impact more than 500 individuals to determine whether HIPAA Rules have been violated. Given the recent enforcement activity, action may well be taken against CoPilot for the delayed notifications.
While patients impacted by the incident have only just been notified, prompt action was taken by CoPilot to improve security after the breach was discovered. Those measures included “enhanced verification, enhanced encryption and implementing increased security audit activity.”