It has taken more than a year for approximately 220,000 ORTHOVISC® and MONOVISC® users to receive notification that their personal information was stolen. CoPilot maintains a website that helps physicians determine whether a patient’s insurance covers certain treatments, including ORTHOVISC® and MONOVISC® injections. These injections are used to treat osteoarthritis by providing additional lubrication to ailing joints.
The security incident came to light when CoPilot started to receive complaints claiming information uploaded to the website could be downloaded. An investigation was immediately initiated and a cybersecurity firm was retained to conduct a forensic investigation.
CoPilot issued a press release on January 18, 2017 announcing the security incident, notified the California Department of Justice on January 19, 2017, and started informing patients on or around the same date. However, these actions come more than a year after the incident occurred.
In October 2015, an unauthorized user breached a database containing patients’ names, gender, date of birth, address, phone number, health insurer and, in some instances, Social Security numbers. While not explicitly stated in the breach notice, the wording suggests that the individual responsible for the breach was a former employee.
CoPilot discovered the security breach on December 23rd of 2015 and “immediately launched an investigation”, but has declined to answer why they waited a full year before reporting the breach and notifying patients that their identities had been stolen.
Under Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule, entities must issue notifications to patients, the media, and the Office for Civil Rights (OCR) within 60 days of the discovery of a breach, or suffer penalties. Presence Health, which also suffered a breach but failed to inform affected patients within 60 days, recently settled to pay OCR a fine of $475,000 for not adhering to notification timeline.
Office for Civil Rights investigates all breaches that impact more than 500 individuals to determine whether HIPAA Rules have been violated. Given the recent enforcement activity, action may well be taken against CoPilot for the notification delay.
CoPilot refers to this act of cyber theft as a “security incident,” and not a “data breach”, and has told patients it has no reason to believe that any of the downloaded information was misused, nor that it will be disclosed to other individuals. Regardless of the usage of the data, Patient Health Information (PHI) breaches are not defined by whether data was misused, or not, but if the data was protected under the Health Insurance Portability and Accountability Act.
CoPilot is offering one-year of credit monitoring services via Kroll for 12 months to those affected by the incident and has set up a dedicated call center for patients with questions, which can be reached at (855) 205-6948, Monday through Friday from 9 a.m. to 6 p.m. Eastern Time, excluding major holidays.