Healthplex to Pay $2 Million in Cybersecurity Settlement Over Phishing Breach That Exposed Tens of Thousands of New Yorkers’ Data

Key Takeaways

• $2 Million Settlement: Healthplex will pay New York State $2 million for violations of the DFS cybersecurity regulation following a 2021 phishing attack.
• Basic Controls Missing: Lack of multi-factor authentication on Microsoft Outlook 365 and no email retention policy allowed attackers to access over 100,000 messages containing sensitive data.
• Sensitive Data Exposure: Tens of thousands of consumers’ personal and health information — including Social Security numbers and medical records — was exposed.
• Late Breach Reporting: DFS was notified more than four months after Healthplex discovered the breach, far exceeding the 72-hour reporting requirement.
• Remediation Requirements: Healthplex must hire an independent auditor to review MFA controls across key systems and remediate any weaknesses on a DFS-approved timeline.

Deep Dive

The New York State Department of Financial Services (DFS) has reached a $2 million settlement with Healthplex after finding the dental insurance management company violated the state’s cybersecurity regulation, enabling a late-2021 phishing attack that compromised sensitive personal and health information for tens of thousands of consumers.

Superintendent Adrienne A. Harris said the incident underscored why insurers and other regulated entities must maintain strong defenses under DFS’s nation-leading cybersecurity rules, noting that Healthplex’s failures left private data “vulnerable to exposure.”

DFS investigators found that a customer service employee clicked a phishing email disguised as a fax message, unwittingly providing the attacker with login credentials. The absence of multi-factor authentication (MFA) for Healthplex’s Microsoft Outlook 365 email access, coupled with a lack of a data retention policy, meant the attacker could enter through a web browser and sift through over 100,000 stored emails containing names, addresses, Social Security numbers, driver’s license details, financial data, and personal health information.

The consent order revealed multiple violations of 23 NYCRR Part 500, including:

• Failure to implement MFA for external network access.
• Failure to develop secure disposal policies for nonpublic information (NPI).
• Failure to timely notify DFS of the breach within the 72-hour window, the delay was more than four months.
• Improper compliance certifications from 2018 through 2021.

The phishing attack was first detected internally on November 24, 2021, yet DFS wasn’t notified until April 8, 2022. Regulators stressed that timely notice is a critical safeguard, enabling DFS to act quickly to protect consumers.

Under the settlement, Healthplex must hire an independent, DFS-approved auditor within 60 days to review MFA controls across its infrastructure, including Microsoft Office 365, Azure, and its claims system. The company will be required to remediate any material weaknesses found during the audit and provide proof to DFS.

DFS credited Healthplex for cooperating during the investigation and for its ongoing remediation, including enabling MFA for web browser email access and adopting a record retention policy.

Still, Superintendent Harris emphasized that these measures came after preventable failures, “The private information New Yorkers entrust to insurers must be protected. Our regulation requires robust cybersecurity policies, and Healthplex’s failure to adhere to them resulted in the exposure of sensitive data.”

The case reinforces DFS’s aggressive enforcement of its cybersecurity regulation (first implemented in 2017 and updated in November 2023) which serves as a national model for safeguarding consumer financial and health data.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.