A New Hyde Park-based provider of health care support services has agreed to pay $130,000 in penalties after it violated state law by waiting more than a year to provide notice of a data breach that exposed more than 220,000 patient records, according to Attorney General Eric T. Schneiderman’s office.
CoPilot Provider Support Services Inc. also agreed to improve its notification and legal compliance program, Schneiderman’s office said in a Thursday statement.
The breach of patients’ personal information included names, gender, dates of birth, addresses, phone numbers, medical insurance card information, and, in some cases, Social Security numbers.
Of the patients affected, 25,561 were residents of New York and 11,372 of the New York patients’ records also included Social Security numbers, according to the attorney general.
His office said that in October 2015, an unauthorized individual gained access to confidential reimbursement data at CoPilot via the website’s administration interface, PHPMyAdmin.
In mid-February 2016, the FBI opened an investigation at CoPilot’s request, focusing on a former CoPilot employee whom the company believed was the intruder.
As of Jan. 18, 2017, CoPilot had provided formal notice to affected consumers in New York, the company said, adding that it has implemented additional security measures.
The notifications were issued more than one year after CoPilot learned of the breach.
CoPilot said the delay in providing notice was due to the ongoing law enforcement investigation, according to the attorney general’s office, which said the FBI never determined that notifying consumers would compromise the investigation.
State law requires companies to provide notice of a breach “as soon as possible,” Schneiderman’s office said, adding that “a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.”
“We are pleased to have closed this matter,” CoPilot said in a Thursday statement.