BOSTON – A healthcare administrative services and IT provider will pay $120,000 and change its business practices to resolve an investigation into its failure to provide timely notice of a data breach that affected nearly 1,900 Massachusetts residents, Attorney General Maura Healey announced today.
CoPilot Provider Support Services Inc. is a New York-based company that operates a website for healthcare providers to check whether a patient’s insurance provides coverage for certain medications. To provide this service, CoPilot’s website connected to a database that contained, among other things, sensitive personal information about consumers, including names and social security numbers.
According to an assurance of discontinuance filed today in Suffolk Superior Court, CoPilot learned that that information had been breached as early as December 2015 but waited more than a year, until January 2017, to notify affected residents of the breach and report it to the AG’s Office. The Massachusetts Data Breach Law requires companies to report data breaches as soon as possible.
“CoPilot broke the law by failing to let our residents know that their sensitive data was compromised,” AG Healey said. “Companies must safeguard the personal information of consumers and disclose any breaches as soon as possible.”
The AG’s investigation found that in December 2015, CoPilot began receiving email messages from a former employee who claimed that CoPilot’s databases containing consumers’ personal and health information could be found and downloaded from the internet. Soon after receiving these emails, CoPilot knew or had reason to know of a potential breach and should have provided notice.
Under Massachusetts law, companies must notify the AG’s Office, the Massachusetts Office of Consumer Affairs and Business Regulation, and all affected Massachusetts residents of a known data breach as soon as possible and without reasonable delay.
In addition to the $120,000 payment, the assurance of discontinuance requires CoPilot to improve its data breach reporting procedures and ensure its employees undergo annual training regarding its obligation to report data breaches.
The AG’s office has entered into prior settlements with companies related to a failure to timely report a data breach and notify affected residents. In September 2018, AG Healey led a group of 51 attorneys general in reaching a $148 million settlement with Uber to address the ride-sharing company’s failure to promptly report a data breach affecting its drivers and passengers.
Consumers can visit the AG’s website for information about how to protect themselves if they believe their personal information has been compromised by a data breach.
This matter was handled by Assistant Attorney Generals Jared Rinehimer and Sarah Petrie, with the assistance of Sara Cable, Director of Data Privacy & Security, all of the AG’s Consumer Protection Division.