Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000
The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.
Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.
The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.
The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.
In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”
