CoPilot Provider Support Services, Inc. (CoPilot), which provides health care companies with billing and insurance support services, has settled allegations by the New York Attorney General of failing to notify individuals of a data breach in a reasonable time for $130,000.

CoPilot began investigating an unauthorized access to, and downloading of its reimbursement records through its website in October of 2015. The information that was compromised included the names, addresses, dates of birth, gender, telephone numbers, medical insurance card numbers, and some Social Security numbers of 220,000 patients, including 25,561 New York residents.

Although the New York breach notification statute says that individuals must be notified of a data breach “as soon as possible,” CoPilot did not notify the individuals of the data breach until January of 2017.

In addition to the fine, CoPilot has agreed to improve its breach notification and legal compliance program, including implementing a company-wide training program on breach notification.

CoPilot alleged that the delay in notification was at law enforcement’s request, as the law enforcement was investigating the incident, but the NYAG stated that “a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.” In this case, law enforcement did not request a delay of notification in writing. The lesson of this case is the importance of implementing a breach notification program, as well as obtaining written confirmation from law enforcement if it is seeking a delay in notification for investigative purposes.