Unauthorized Access Breach Raises Many Questions2015 Incident Involved Insurance Eligibility Database
A 2015 incident involving unauthorized access to a database healthcare professionals use to check the insurance eligibility of patients to receive certain injections for treating osteoarthritis appears to have resulted in a breach affecting 220,000 individuals.
CoPilot Provider Support Services Inc. a Long Island, N.Y.-based provider of healthcare administrative and IT services, announced on Jan. 18 that it "has been made aware of and managed an unauthorized access of one of its databases used by healthcare professionals and notified patients whose information may have been included in the impacted database."
The company does not call the event a "breach" in its statement, but characterizes it as a "security incident." CoPilot also says it does not have evidence to suggest that any patient information was distributed or misused for purposes of identity theft or to cause financial harm."
The database, intended for healthcare professionals in the U.S. to advise patients on whether certain aspects of treatment are covered by insurance, "was illegally accessed in October 2015, including limited information of approximately 220,000 individuals, such as patient name, gender, date of birth, address, phone number, health insurer and in some instances Social Security numbers," CoPilot's Jan. 18 statement says.
CoPilot states that learned of this incident on Dec. 23, 2015, "and immediately launched an investigation and implemented additional security measures." Based on a comprehensive cybersecurity investigation, it says it determined that no financial information or medical treatment records was accessed.
In a separate statement provided to Information Security Media Group, CoPilot says, it "has investigated the unauthorized access of one of its healthcare professional website databases, which contained limited patient information. Upon learning of the situation, CoPilot immediately launched an investigation, worked with law enforcement and implemented additional security measures."
The company did not specifically address ISMG's inquiry into why it took more than a year after learning of the incident for CoPilot to notify affected individuals.
"Given the complexity of these types of events, CoPilot's investigation involved a lengthy process working closely with law enforcement to assess this incident, including what information and who may have been affected," the company notes in its statement. "In addition to our coordination with law enforcement, we also worked quickly to implement additional security measures in order to contain the incident and further protect our system."
CoPilot tells ISMG that, based on its review, it determined that "a former employee illegally accessed one of its healthcare professional website databases. It is important to note that, currently, we have no evidence to suggest that any patient information was distributed or misused for purposes of identity theft or to cause financial harm. However, CoPilot has proactively reached out to impacted patients to provide guidance on how to protect themselves and has offered identity theft protection services to affected individuals. We have also set up a dedicated call center for patients with questions. "
The company notes in its statement to ISMG that it is "taking steps to prevent this type of incident from occurring again in the future, including the monitoring of its databases by K2 Intelligence Inc.," an independent and forensic IT firm.
The blog Databreaches.net says a copy of a sample CoPilot patient notification letter it obtained explains: "CoPilot maintains a particular website, www.monovischcp.com,1 used by physicians to help determine whether insurance coverage is available for ORTHOVISC and MONOVISC injections. This website may have been used by your physician's office to make an inquiry about your insurance coverage for these injections."
CoPilot is offering one-year of credit monitoring services, the notification states.
A Business Associate?
A CoPilot source tells ISMG that the company "supports physicians in the furtherance of payment or healthcare operations. As such, it is not a business associate to physicians but it is covered by HIPAA in its relationship to providers. HIPAA permits physicians to disclose PHI to organizations like CoPilot - with or without a BAA [business associate agreement] - since disclosure(s) is in furtherance of payment or healthcare operations."
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the company's statements leave more questions than answers.
"It's very hard to tell what is going on from the statements," he says. "It says that no sensitive information was accessed, so it isn't clear why they are giving notice at all or providing identity theft protection. They may have concluded that HIPAA doesn't require notice but that they should give it anyways. If it is a HIPAA notice, then it is way late without any obvious excuse. If it's a 'voluntary notice,' it's still weird that they waited this long, but we don't know if there is some reason other than sloppiness."
Privacy and security expert Kate Borten, president of consulting firm The Marblehead Group, disagrees with the characterization that CoPilot is not a business associate under HIPAA.
"The company's language indicates it does not see itself as a BA. However, if the providers are sharing PHI with the company to determine patient payment expectations, this sounds like a straightforward BA service."
In any case, Borten says the biggest lesson in the CoPilot case so far is that "both covered entities and BAs must aggressively identify their BAs and ensure BAs signs BA agreements and comply with the [HIPAA] rules."
Borten says it's not clear what level of security and privacy protections the company had in place prior to the incident. "Further, this is a breach. However, the company seems to avoid identifying it as such, since the company claims there is no indication the data has been misused. However, that is not how PHI breaches are defined."
Borten says covered entities should "beware of disclosing their PHI to any organization that is not fully aware of and compliant with HIPAA's privacy and security regulations."
Keith Fricke, partner and principal consultant of tw-Security, says the CoPilot incident also offers other important lessons.
"It becomes yet another reminder about the same lessons to be learned in healthcare breaches: Invest in the proper preventive and detective security processes and tools," he says. "In addition, have response plans in place and rehearse them periodically. Healthcare breaches happen too frequently these days."