Weather Alert  

"Flash Flood Watch" ...Flash Flood Watch in effect from midnight EDT tonight through Monday morning... The National Weather Service in Upton has issued a * Flash Flood Watch for portions of northeast New Jersey and southeast New York, including the following areas, in northeast New Jersey, eastern Bergen, eastern Essex, eastern Passaic, eastern Union, Hudson, western Bergen, western Essex, western Passaic, and western Union. In southeast New York, Bronx, Kings (brooklyn), New York (manhattan), northern Nassau, northern Queens, northwestern Suffolk, Orange, Richmond (staten island), Rockland, southern Nassau, southern Queens, southern Westchester, and southwestern Suffolk. * From midnight EDT tonight through Monday morning * an area of low pressure will develop along a frontal boundary to our south and pass just south and east of Long Island. Rainfall rates of 1 to 2 inches an hour are possible and may lead to flash flooding the New York City Metro and surrounding areas. Flash flooding will also be possible for portions of the lower Hudson Valley. Precautionary/preparedness actions... A Flash Flood Watch means that conditions may develop that lead to flash flooding. Flash flooding is a very dangerous situation. You should monitor later forecasts and be prepared to take action should flash flood warnings be issued. -- Sunday Jul.23 17,06:24 PM

A.G. Schneiderman Announces Settlement With Healthcare Services Company That Illegally Deferred Notice Of Breach Of More Than 220,000 Patient Records

Company Violated General Business Law That Requires Companies To Provide Notice Of A Breach As Soon As Possible.

Print Email

Photo by: witwiccan

New York, NY - June 15, 2017 - Attorney General Eric T. Schneiderman today announced a settlement with CoPilot Provider Support Services, Inc. (“CoPilot”), a New York corporation that provides support services to the health industry, after the company violated General Business Law by waiting over a year to provide notice of a data breach that exposed 221,178 patient records. CoPilot has agreed to pay $130,000 in penalties and to improve its notification and legal compliance program.
 
“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” said Attorney General Schneiderman. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”
 
CoPilot’s website—www.monovischcp.com—is used by physicians to help determine whether insurance coverage is available for certain medications. On October 26, 2015, an unauthorized individual gained access to confidential patient reimbursement data of CoPilot via the website administration interface, PHPMyAdmin. The intruder downloaded reimbursement-related records for 221,178 patients—including their name, gender, date of birth, address, phone number, and medical insurance card information. Of the patients affected, 25,561 were residents of New York; 11,372 of the New York patients’ records also included social security numbers.
 
In mid-February 2016, the Federal Bureau of Investigation opened an investigation at CoPilot’s request, focusing on a former CoPilot employee whom CoPilot believed was the intruder.   
 
On January 18, 2017, CoPilot began to provide formal notice to affected consumers in New York. The notifications were issued more than one year after CoPilot learned of the breach of patient data. Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications. General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.
 
Pursuant to the agreement, CoPilot has agreed to pay $130,000 in penalties.  It also has agreed to comply with New York’s consumer protection and data security laws, Executive Law § 63(12) and GBL § 899-aa, and to update relevant policies and procedures to ensure compliance with GBL § 899-aa. Its legal compliance program must include training of all officers, managers, and employees of CoPilot as to their roles and responsibilities in ensuring that CoPilot complies with GBL § 899-aa and provides timely notices to affected consumers in the event of a breach. All officers and managers of CoPilot are required to review the obligations of the agreement.
 
The agreement also states that CoPilot should not delay providing notification of a breach to consumers, unless explicitly directed in writing by an authorized law enforcement official investigating the incident for criminal prosecution, in which that consumer notice of the incident would impede the investigation. In such an event, CoPilot must request a date when notification can be provided, and if a date is not forthcoming, maintain contact with the law enforcement agency until approval for notification pursuant to GBL § 899-aa is provided.
 
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Assistant Attorney General Jordan Adler, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.