DFS Takes Cybersecurity Action Against Healthplex
Per the notice below, the New York State Department of Financial Services (DFS) has taken action against Healthplex, Inc., for cybersecurity failures.
Superintendent Adrienne A. Harris Secures $2 Million Cybersecurity Settlement with Healthplex, Inc.
New York State Department of Financial Services Superintendent Adrienne A. Harris announced today that Healthplex, Inc. (Healthplex), will pay a $2 million penalty to New York State for violations of DFS’s cybersecurity regulation (23 NYCRR Part 500). As part of the settlement, Healthplex has agreed to hire an independent auditor to examine the adequacy of Healthplex’s multi-factor authentication (MFA) controls.
“Health insurance providers are entrusted with highly sensitive personal information and health data of policyholders,” said Superintendent Harris. “The Department’s nation-leading cybersecurity regulation requires insurers and other regulated entities to maintain and implement robust cybersecurity policies, so the private information New Yorkers entrust to them is protected. Healthplex’s failure to adhere to these rules resulted in the exposure of the sensitive data of tens of thousands of consumers.”
Healthplex is a licensed provider of dental insurance management services. In late 2021, a Healthplex customer service employee received and clicked on a phishing e-mail which granted threat actors access to all of the consumer data in the employee’s e-mail account. The Department’s investigation revealed that Healthplex had no data retention policy to limit the storage of e-mails in Microsoft Outlook. As a result, the nonpublic information (NPI) of tens of thousands of New Yorkers was vulnerable to exposure. Notably, Healthplex did not have MFA controls set up on its Microsoft Outlook 365 e-mail environment. These failures made it possible for the threat actors to gain access to troves of sensitive consumer NPI, including health data. The Department’s investigation also revealed that Healthplex waited over four months, well beyond the 72-hour reporting requirement in the cybersecurity regulation, from initially learning of the phishing incident and subsequent data exposure before notifying the Department. This notice requirement is a critical safeguard that enables the Department to carry out its consumer protection function. The Department’s cybersecurity regulation has been in effect since March 2017, with an updated regulation becoming effective in November 2023. Read the Healthplex consent order here.
