Dedicated to providing the latest
HIPAA compliance news

Texas Patients Just Informed of 2015 CoPilot Data Breach

Share this article on:

Patients of a Texas orthopedic clinic are just finding out that some of their protected health information was exposed in a 2015 CoPilot data breach.

In October 2015, a website maintained by CoPilot Provider Support Services was accessed by an unauthorized individual. That individual gained access to, and downloaded, the PHI of more than 220,000 patients. The website was used by providers to find out whether two drugs – ORTHOVISC® and MONOVISC® – were covered by the patients’ health insurance.

CoPilot discovered its website had been breached on December 23, 2015, and launched an investigation. The individual who accessed the data was identified and the matter was reported to law enforcement. No information was believed to have been accessible by the public.

While the incident was resolved, CoPilot delayed issuing breach notifications until January 2017. That delay resulted in a $130,000 fine from the New York Attorney General in June 2017.

It has been two years since the breach, and eight months from when notifications were issued, but some breach victims are only just discovering they have been impacted. 653 patients of Kraig R. Pepper, D.O., P.A. were only notified of the breach in late September.

Dr. Pepper did not become aware of the breach until July 31, 2017, when he found out some of his patients’ data had been exposed in the 2015 CoPilot data breach. The breached information did not include any medical records, X-rays, or test results held by Dr. Pepper, only information that was provided to DePuy Mitek, Inc., the company from which the drugs were purchased. The information disclosed to that company and was exposed included names, addresses, Social Security numbers, dates of birth, phone numbers, gender, ID numbers, Group numbers, medical insurance information, prescription information, and some clinical information.

While there has been a considerable delay in receiving notification, affected patients have been offered identity theft protection services without charge for 12 months.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On