Healthplex Settles Alleged Cybersecurity Failures with NYDFS for $2 Million
Healthplex, one of the largest providers of dental health insurance programs in New York State, has agreed to a settlement with the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). Healthplex has agreed to pay a $2 million financial penalty to New York State and take steps to improve its cybersecurity posture.
The Cybersecurity Regulation took effect in 2017 and requires all financial institutions operating in New York State to implement and maintain a robust cybersecurity program. Some of the key requirements include conducting risk assessments, managing risks, and implementing security policies and procedures, an incident response plan, and multifactor authentication.
Healthplex is a licensed provider of dental insurance management services and must therefore comply with the Cybersecurity Regulation. NYDFS launched a compliance investigation after Healthplex reported a cybersecurity event to NYDFS on April 8, 2022. Healthplex discovered the incident on November 24, 2021, when employees received a suspicious email from an account associate’s account and reported it internally to the security team.
The investigation confirmed that an account associate in customer service had responded to a phishing email that was received on November 22 or 23, 2021. The email required Office 365 email login credentials to be provided to receive a fax message. The credentials were captured, and the threat actor accessed the Office 365 account. The account was used to send further phishing emails, and it was found to contain the protected health information of 89,955 individuals.
The NYDFS investigation revealed that there was no data retention policy limiting the information stored in email accounts, in violation of § 500.13 of the Cybersecurity Regulation. The employee had worked for the company for approximately 20 years, and their account contained more than 100,000 emails. Further, multifactor authentication (MFA) had not been set up for its Office 365 email environment, so a compromised password was all that was required to access the account and the sensitive and nonpublic data of tens of thousands of individuals.
Healthplex had implemented MFA for its email environment; however, it failed to ensure that MFA was completely operational when it migrated to Office 365 earlier in the year. With the password obtained in the phishing attack, the entire contents of the account could be accessed via a standard web browser. § 500.12(b) of the Cybersecurity Regulation requires MFA to be implemented for remote access to the covered entity’s information systems and third-party applications.
The required cybersecurity program must ensure that a covered entity is able to report cybersecurity events promptly. The Superintendent must be notified within 72 hours of the discovery of a cybersecurity event. While the event was detected on November 24, 2021, the Superintendent was not notified until April 8, 2022, in violation of § 500.17(a) of the Cybersecurity Regulation. Healthplex had certified that it was compliant with the Cybersecurity Regulation for 2021, but the investigation confirmed that not to be the case, in violation of § 500.17(b). The lack of policies for secure disposal of data on a periodic basis was in violation of § 500.13 of the Cybersecurity Regulation.
In addition to the financial penalty, Healthplex has agreed to strengthen its cybersecurity controls to ensure compliance with the Cybersecurity Regulation and will hire an independent third-party auditor to conduct a current audit of the MFA controls of its business infrastructure and shared systems that support its core business functions.
This is not the first financial penalty for Healthplex over the phishing incident. In 2023, Healthplex settled an investigation with the New York Attorney General and paid a financial penalty of $400,000 to resolve alleged violations of HIPAA and state data security and consumer protection laws.
