Delta Dental Fined $2.25 Million Over 2023 MOVEit Transfer Hack
Delta Dental Insurance and Delta Dental of New York (Delta Dental) have agreed to pay a fine of $2.25 million to the New York Department of Financial Services to settle alleged violations of New York cybersecurity regulations. The violations were discovered during an investigation of a 2023 hacking incident that affected almost 7.1 million of its customers.
The incident in question occurred over the Memorial Day weekend in 2023 and was detected by Delta Dental on June 1, 2023. A Russian-speaking cybercriminal group called Clop (aka Cl0p) exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer managed file transfer solution, accessed the solution between May 27 and May 30, 2023, and exfiltrated approximately 60,000 files. The group then demanded a ransom to prevent the publication of the stolen files.
By July 6, 2023, Delta Dental confirmed that a range of sensitive personal and protected health information had been stolen, including names, addresses, Social Security numbers, driver’s license numbers, financial account information, and health information. Delta Dental was one of around 2,700 companies to fall victim to the automated mass exploitation attacks.
Delta Dental Insurance, a dental insurance underwriter, and its subsidiary, Delta Dental of New York, were investigated by the New York Department of Financial Services after being notified about the data breach on December 15, 2023. The Department of Financial Services identified several violations of state laws, including the failure to provide timely notice about the data breach. Under N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.17(a)(1), covered entities are required to notify the superintendent about a cybersecurity incident within 72 hours of discovery.
According to the consent order, Delta Dental did not implement and maintain a written policy addressing incident response, in breach of the New York Cybersecurity regulations for financial services companies – 23 NYCRR § 500.3(n), and did not have a written incident response plan that sufficiently addressed its reporting obligations to regulators, in violation of 500.16(b)(6). Further, Delta Dental did not implement policies and procedures for the secure disposal of data no longer required for business purposes, as required by § 500.13.
The investigation found that most of the data stolen in the attack had been on the server for more than 30 days. By default, MOVEit Transfer sets the data retention period to 30 days; however, Delta Dental had changed the retention period first to 45 days, and then to 60 days for many folders. Some folders had data retention settings disabled and there were no written policies regarding requesting, reviewing, or approving changes to the data retention settings.
Delta Dental is required to pay the financial penalty, although there are no corrective actions required by the order. Provided Delta Dental complies with the consent order, the New York Department of Financial Services will take no further action. “The Department’s nation-leading cybersecurity regulation requires financial institutions to have robust policies in place to protect the personal information of New Yorkers,” said Kaitlin Asrow, acting superintendent of the New York Department of Financial Services. “As cybersecurity threats continue to grow, the Department is committed to holding institutions accountable.”
