The New York State Department of Financial Services announced a settlement with Healthplex, Inc. under its cybersecurity regulation (23 NYCRR Part 500), requiring the dental insurance management services provider to pay a USD 2 million penalty and retain an independent auditor to examine the adequacy of its multi-factor authentication (MFA) controls. DFS’s investigation followed a late 2021 email phishing incident in which a Healthplex customer service employee clicked a phishing email, giving threat actors access to all consumer data in the employee’s email account. The investigation found Healthplex lacked a data retention policy limiting email storage in Microsoft Outlook and did not have MFA enabled for its Microsoft Outlook 365 environment, leaving the nonpublic information of tens of thousands of New Yorkers, including health data, vulnerable to exposure. DFS also found Healthplex delayed notifying the Department for more than four months after initially learning of the incident, exceeding the regulation’s 72-hour reporting requirement.
New York State Department of Financial Services 2025-08-14
New York State Department of Financial Services secures USD 2 million cybersecurity settlement with Healthplex and mandates independent review of MFA controls
The New York State Department of Financial Services settled with Healthplex, Inc. for USD 2 million under its cybersecurity regulation, following a 2021 phishing incident. Healthplex must retain an independent auditor to assess its multi-factor authentication controls. The investigation revealed inadequate data retention policies and delayed incident reporting, compromising the nonpublic information of thousands of New Yorkers.