HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Texas Patients Just Informed of 2015 CoPilot Data Breach

Patients of a Texas orthopedic clinic are just finding out that some of their protected health information was exposed in a 2015 CoPilot data breach.

In October 2015, a website maintained by CoPilot Provider Support Services was accessed by an unauthorized individual. That individual gained access to, and downloaded, the PHI of more than 220,000 patients. The website was used by providers to find out whether two drugs – ORTHOVISC® and MONOVISC® – were covered by the patients’ health insurance.

CoPilot discovered its website had been breached on December 23, 2015, and launched an investigation. The individual who accessed the data was identified and the matter was reported to law enforcement. No information was believed to have been accessible by the public.

While the incident was resolved, CoPilot delayed issuing breach notifications until January 2017. That delay resulted in a $130,000 fine from the New York Attorney General in June 2017.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It has been two years since the breach, and eight months from when notifications were issued, but some breach victims are only just discovering they have been impacted. 653 patients of Kraig R. Pepper, D.O., P.A. were only notified of the breach in late September.

Dr. Pepper did not become aware of the breach until July 31, 2017, when he found out some of his patients’ data had been exposed in the 2015 CoPilot data breach. The breached information did not include any medical records, X-rays, or test results held by Dr. Pepper, only information that was provided to DePuy Mitek, Inc., the company from which the drugs were purchased. The information disclosed to that company and was exposed included names, addresses, Social Security numbers, dates of birth, phone numbers, gender, ID numbers, Group numbers, medical insurance information, prescription information, and some clinical information.

While there has been a considerable delay in receiving notification, affected patients have been offered identity theft protection services without charge for 12 months.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.