One of the unauthorized people got access and achieved secrete information of about 220,000 patients from the database of official website of CoPilot provider support Services. This website is used by the physician’s to check either MONOVISC and ORTHOVISC injection are included in the health insurance service providers or not? Usually the information added on the official website goes to the database that is acquired by Copilot. This database got accessed and downloaded by an unauthorized person, while according to the rules and policies of CoPilot, no one has right to access the databases until he is an authorized person.
Although there is not any specified information explained in the breach notice, but it is true that the person who breached the information was one of the previous employees of the company. CoPilot also explained that the information of the person has been passed to the law enforcement. Later on, the law enforcement process of investigation confirmed that the report by CoPilot is correct.
It is confirmed that the data has been accessed and downloaded, CoPilot further stated that intent of the attacker was to commit a fraud. This point also referred to the previous employee rather than a hacker. The database with the information included the name, address, gender, phone number, insurance information, SS number and even some other card information.
All the affected people are provided with the identity and credit monitoring services through Kroll for a year. This is the best for the affected people so that they can easily use their information. Although, it has been proved that data has not been misused or disclosed publically. It was the time when CoPilot got the complaints that anyone can easily download the uploaded information. For this purpose, they called for the cybersecurity firm to immediately start the investigation process.
On 8th Jan, 2017 CoPilot printed a press release that highlighted the security incident and then it informed to the California Department of Justice. On 19th Jan 2017, they also started notifying the affected patients for the breach. According to CoPilot, the breach was discovered on 23rd Dec 2015 and it took about a year and still the information about the breach has not been revealed. CoPilot also found that the patient’s PHI has been downloaded in improper ways in Oct, 2015. According to the Health Insurance Portability and Accountability Act’s Breach Notification Rule, HIPPA should provide the data breach information to the patients within 60 days after the breach.
The failure to following the rules and regulations of the breach that be the cause of financial penalties. OCR examines all the breaches that affect 500+ individuals to check either HIPAA rules have been followed or not? The details of the recent activity shows that the actions will be taken for CoPilot for the delays in notifying the affected people. In this case, only the affected members were notified CoPilot should also take some steps to improve the security measures.