Tag Archives: HIPAA

CoPilot settles with New York AG for delaying breach notification for over one year

This is only the beginning of what will happen in the future.

It took over a year to notify 220,000 individuals of a breach to its website. HHS is determining if it’s a HIPAA-covered business associate.

CoPilot Provider Services has settled with New York for $130,000 in penalties for waiting more than a year to notify its customers of a breach to the company’s website, NY Attorney General Eric Schneiderman announced Thursday.

The attorney general determined the healthcare administrative services and IT provider violated general business law, in its delayed breach notification to its 221,178 customers. CoPilot agreed to the monetary settlement and to reform its notification and legal compliance program.

The breach occurred in October 2015, when an unauthorized individual accessed confidential patient reimbursement data through the administration site. The hacker downloaded data that included names, birthdates, addresses, phone numbers and medical insurance card details.

However, CoPilot waited until January 2017 to begin formally notifying its customers of the breach.

The FBI began investigating the incident in February at CoPilot’s request, focusing on a former employee they believed was responsible.

CoPilot blamed the breach notification delay on the FBI investigation, but law enforcement didn’t say that customer notification would hinder the ongoing investigation and didn’t instruct CoPilot to delay. General business law instructs that companies must provide timely breach notification.

The Department of Health and Human Services is still looking into whether CoPilot is considered a covered business associate under HIPAA.

Thursday’s agreement also states that CoPilot will comply with New York’s consumer protection and data security laws.

“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” said Schneiderman in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

Ponemon Institute Reports Healthcare Data Under Attack by Criminals.

Results from the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data have confirmed what many in the healthcare industry had suspected and even feared: 65% of the healthcare organizations participating in the study had experienced electronic information-based security incidents over the past two years. In addition, some 87% of third-party vendors, identified by HIPAA as Business Associates (BAs), reported a data breach in the last two years.

More disturbing is the revelation that for the first time in the history of the study, criminal attacks are the number one cause of data breaches in healthcare. The number of criminal attacks on healthcare organizations and business associates has increased 125% compared to five years ago. According to the study, more than 90% of the healthcare organizations taking part had experienced a data breach, and 40% of the respondents had experienced more than five data breaches over the past two years.

No healthcare organization, no matter its size, is impervious to these attacks. And they are certainly not immune to the side effects of a breach.

The rapid growth of data breaches in the healthcare industry is putting health information at risk at an alarming rate. Moreover, it’s expensive—for all concerned. According to the Ponemon Institute study, “…the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million…the average cost of a data breach to BAs represented in this research is more than $1 million.”

The study’s findings also reveal that 45% of the healthcare organizations surveyed reported the occurrence of a Cyberattack indicated the source of the attack was criminal, while 12% cited the work of malicious insiders. 39% of the BAs reported breaches caused by criminal attackers while 10% attributed the attacks to malicious insiders.

The study described an increase in Web-borne malware attacks, citing 78% of the healthcare organizations surveyed as having experienced security incidents caused by malware; 82% of BAs had suffered security incidents attributed to malware.

Perhaps one of the most shocking data points reported is that in spite of the increased criminal activity and the rapidly evolving threat environment, the majority of healthcare organizations indicated implementing no changes to what they’re doing or how they’re doing it. Only 40% of healthcare organizations and 39% of BAs surveyed expressed concern about cyberattacks.

Other Findings Giving Cause for Increased Cyber security Measures

Policies and Procedures in Place

The survey results clearly illustrate the reality that healthcare organizations and the BAs with whom they work need to invest more in technologies that allow them to respond quickly to data breaches. While 58% of healthcare organizations responding agreed that they have policies and procedures in place that allow them to detect a data breach quickly and efficiently, fewer than half believe they have sufficient technologies in place to do so — and only 33% were confident they have the resources needed to prevent or quickly detect a data breach. Responses of BAs participating in the survey fell along similar lines. 50% of business associates responding stated that they have the policies and procedures in place to prevent or detect a security incident, while fewer than half believe they have sufficient technologies. Lastly, only 41% of BAs stated that they have adequate resources to be able to identify and repair data breaches.

Top Concerns of Respondents

The research also revealed interesting insights relating to the top concerns of survey respondents. While the number of criminal attacks on healthcare organizations and business associates has increased 125% compared to five years ago (and 45% of the organizations surveyed traced data breaches to criminal activity) only 40% of the respondents were most concerned about Cyberattacks as a security threat. BAs were even less immediately worried with only 35% citing Cyberattacks as a top concern. Here’s an overview of what they reported being most concerned about:

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data

The security threats BAs worry about most:

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data

How Attacks Are Discovered

Among other key findings detailed in the Poneman report are the statistics relating to how health organizations have uncovered the security attacks. 69% learned of a data breach through an audit or assessment, while 44 % were discovered by an employee. 30% of data breaches were reported by patients, 23% were uncovered accidentally, and 18%came from a legal complaint. Law enforcement was responsible for 6 % of the discoveries and loss prevention teams for 5%.

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data  

Business associates reported different statistics, with 60% of data breaches reported as being uncovered by employees and 49% discovered as a result of audit or assessment. BAs said 33% were found accidentally, 21% through a legal complaint, 17% from a patient complaint, 13% from loss prevention teams, and 12% by law enforcement.

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data


The findings of the Ponemon Institute survey paint an alarming picture: the healthcare industry, which manages vast amounts of personal data, is under attack by criminal elements and jeopardized by employee negligence, as well as the actions of malicious insiders. The number of data breaches is growing exponentially, and both healthcare organizations, and the business associates who serve them lack sufficient technologies, resources, and processes to ensure data is kept secure.

The report details a slow but steady increase in technologies used by both healthcare organizations and their business associates to detect and mitigate the impact of cybersecurity threats, but concludes that the pace of the investments in both technologies and security expertise is not sufficient at this time.

In conclusion, the Ponemon Institute calls for intensive employee training and awareness programs, ramped up investments in technologies and security expertise, and a broad application of innovative solutions to the industry to improve the current status of the privacy and security of the nation’s healthcare data.


For Your Eyes Only: Experts Explore Preventing Inadvertent Disclosures During Discovery

The Altep, kCura and Milyli webinar explored best practices for safeguarding information, as well as technological tools for redaction

There may be a number of “Scott’s” in Chicago, but there are fewer with a specific last name attached, and there is only one with that specific Social Security Number. This information – or a telephone number, or a fingerprint, or even the MAC address of a computer – can be used to identify and verify a person.

But of course, for as valuable as personally identifiable information (PII) may be for you, it’s just as valuable to a malicious actor looking to steal and utilize it for nefarious purposes. That’s why, when conducting discovery, protecting that information should be of the utmost importance for organizations, law firms, and discovery vendors.

Three of those legal technology companies joined together to put that security forth in a recent webinar called“How to Prevent the Disclosure of PII.” The webinar’s panel included Hunter McMahon, vice president of legal and consulting services, Altep; Scott Monaghan, technical project manager, Milyli; Aileen Tien, advice specialist, kCura; and Judy Torres, vice president of information services, Altep.

In order to prevent disclosure, the panelists asked one important question: What exactly is PII? “It really comes down to what information can identify you as an individual,” McMahon said. This includes information that can be categorized into different categories based on how specific and how personal it is , leading McMahon to notenote that data holders should examined PII to determine if it is sensitive, private, or restricted.

When examining PII in the system, it’s also important to examine what regulations and laws the PII falls under. This can include a number of different federal regulations, HIPAA/HITECH (health PII), GLBA (financial PII), Privacy Act (PII held by Federal Agencies), and COPPA (children’s PII). Forty-seven states also have their own information laws, including varying guidelines on breach notification, level of culpability, and more.

Once that information is known, said the panelists, those conducting discovery should turn to the next question: What are the processes in place to protect the data? “Documents that are in the midst of discovery are really an extension of your retention policy… so you have to think about that risk the same way,” McMahon noted.

Torres explained that the proper approach to take to PII is that it will always be in a document set, if it seems unlikely that PII exists in a system. For example, she said not to assume that because a data set concerns only documents accessed during work hours, it will not contain PII.

“Most people, when they’re working, are also working the same time as those people they need to send documents to,” Torres explained. In one case, looking at data from Enron’s collapse, the documents in the case contained 7500+ instances of employee PII, including that of employee’s spouses and children, as well as home addresses, credit card numbers, SSN, and dates of birth.

In order to combat this data lying in the system, it’s important to take a proactive approach, the panel said. “The approach is much like data security in that it’s not going to be perfect, but you can help reduce the risk,” McMahon added.

To protect it in review, those conducting discovery can limit access to documents with PII, limit the ability to print, and limit the ability to download native files. Likewise, teams can employ safeguards during review such as training review teams on classifications of PII, training reviewers on PII workflow, implementing a mechanism for redaction and redaction quality control, and establishing technology encryption.

And even if not using human review, abiding these protocols can be important, “I see such a trend of more cases using assisted review, so you’re not necessarily having human eyes on every document. So it makes sense to make our best effort to protect PII on documents that may not necessarily have human review,” Torres said.

Properly conducting redactions to make sure nothing is missed can be a pain for reviewers as well, but Tien walked the webcast’s viewers through an introduction of regular expressions (reg-ex), one of the most common technology tools for PII redaction. In short, reg-ex is a pattern searching language that allows one to construct a single search string to search for a pattern of characters, such as three numbers, or three letters.

For one example, Social Security Numbers have a very specific format: XXX-XX-XXXX. Reg-ex can be used to find all constructions of this type, using an input like the following: [0-9]{3} – [0-9]{2} – [0-9]{4}

“With practice, you’ll be able to pick this up like any foreign language,” Tien said.

See post Sneaky PII: What’s Hiding in Your Data?