New York State Department of Financial Services imposes USD 2.25 million penalty on Delta Dental entities for MOVEit-related cybersecurity regulation violations

The New York State Department of Financial Services announced that Delta Dental Insurance Company and Delta Dental of New York, Inc. will pay a combined USD 2.25 million penalty after an investigation found violations of the Department's cybersecurity regulation, 23 NYCRR Part 500. Inadequate incident response policies and procedures allowed threat actors to exploit the mid-2023 zero-day vulnerability in MOVEit Transfer and obtain unauthorized access to New Yorkers' personal information. Both companies used MOVEit Transfer servers to exchange files with affiliates' customers, business partners, medical professionals, and employees. DFS had alerted regulated entities on June 2, 2023 to the vulnerability and its remediation, but attackers nonetheless accessed the companies' MOVEit servers and exfiltrated a significant volume of files containing consumer non-public information, including names, addresses, social security numbers, driver's license numbers, financial account information, and patient health information. The investigation also found failures to implement required retention settings, policies, procedures, and controls, and that DDIC and DDNY did not timely report their cybersecurity events. The companies notified all affected consumers by March 2024.