High Drama in HIPAA Land: the CoPilot Breach
The leak late last year of information on more than 200,000 patients of CoPilot Provider Support Services was just the first act in what is proving to be a bizarre and mysterious HIPAA ‘whodunnit.’
The story that’s proving to be the regulatory equivalent of a Shakespearean drama began in January, when CoPilot Provider Support Services (or “CoPilot”) disclosed what appeared to be a run-of-the-mill event in these troubled times: a breach of a corporate database containing information on some 220,000 people.
The incident was described by CoPilot as one in which a company databased was “illegally accessed in October 2015.” The company said it learned of the incident on December 23rd of that year and “immediately launched an investigation and implemented additional security measures,” and notified patients.
Incidents like these – while dispiriting – are distressingly common. Just in 2017, we’ve seen a $5.5 million HIPAA settlement against Memorial Healthcare Systems for exposing protected health information of 115,143 people. We’ve seen patient data from a sleep disorder program exposed by a misconfigured MongoDB database, and 3.3 million credentials belonging to customers of Sanrio, the owner of the beloved Hello Kitty brand, exposed to would-be hackers. That incident also was linked to an insecure MongoDB instance.
The CoPilot incident is something else entirely: a HIPAA whodunit in which nearly everything we’ve learned about the reported breach is other than it seems.
First, there’s the matter of the incident itself. While CoPilot’s press release about the breach says little about the specifics, a letter sent to affected customers and published by the web site Databreaches.net has the company claiming that has “identified the individual who accessed CoPilot’s database through unauthorized means and downloaded certain health information,” and that the company has referred the matter to law enforcement.
According to published reports, however, that “individual” is longtime employee of the firm John Witkowski, who served as a Senior Vice President of Marketing and Sales. In an interview with Databreaches.net, Witkowski says that CoPilot is lying about the data breach incident – and claims that those lies are just the tip of a much larger iceberg of malfeasance having to do with CoPilot’s work obtaining reimbursements from health insurers on behalf of physicians.
There’s lots to wonder about here, and the paucity of statements from CoPilot don’t help clear the water. After all: Witkowski claims in the interview with Databreaches.net that he left CoPilot in February 2015 after learning about the company’s suspicious business practices. He claims to have learned about the exposed CoPilot database, running phpMyAdmin, in May of that year. He claims that he later stumbled upon the exposed database, containing some 350,000 records, months later, in October 2015. The database could be reached from the public Internet and had no protection – meaning anyone with the address of the database could view its contents in the clear, which included patients’ names, addresses, telephone numbers, dates of birth, insurance information, and Social Security Numbers for some patients. At the very least, that seems to run counter to CoPilot claims, in its letter to patients, that their data “was not accessible for downloading by the general public from the website.” According to Witkowski, it was.
At that point, the former VP claims that he took it upon himself to notify officials at Mitek Sports Medicine without informing CoPilot of the exposed database. But Witkowski also acknowledges that, at the time, he was setting up a company to compete against CoPilot. That’s a suspicious state of affairs. And, when CoPilot was notified of Witkowski’s attempts to inform its customers, they apparently notified the FBI, which launched an investigation.
Finally, there’s the matter of the company’s disclosure of the incident, which came more than a year after the alleged incident was reported. Why the delay? In a statement to Information Security Media Group, CoPilot did not explain the delay in reporting the incident to regulators, but cited the complexity of the incident and resulting investigation. Beyond that, CoPilot said that it does not believe the services it offers to physicians around payment reimbursements qualifies it as a business associate bound by the breach reporting requirements of HIPAA.
“HIPAA permits physicians to disclose PHI to organizations like CoPilot – with or without a BAA [business associate agreement] – since disclosure(s) is in furtherance of payment or healthcare operations,” the company noted in a statement.
That’s a contention that most attorneys with expertise in healthcare and privacy matters take issue with – and certainly one open to debate. If, in fact, CoPilot is determined to be a business associate covered under HIPAA, the company’s year long delay in notifying patients will be highly suspect.
Former employee Witkowski offers still another theory: that the delay may be the result of CoPilot’s months long efforts to get him to withdraw his complaint – a campaign that included the filing of a criminal complaint, threats of lawsuits and offers of cash settlements in exchange for an agreement by Witkowski to withdraw his complaint to federal regulators.
What seems clear is that the CoPilot breach is going to get more scrutiny, as regulators take a hard look at the company’s long delay in reporting, the circumstances surrounding the exposed database of patient information and the various and contradicting claims by the company, Witkowski and others involved.Correction on 3/3/2017: this article previously stated incorrectly that John Witkowski had notified CoPilot customers of the breach himself; this is incorrect and has been updated.