Superintendent Adrienne A Harris Secures 2 Million Cybersecurity Settlement with Healthplex Inc Department of Financial Services
p
ppNew York State Department of Financial Services Superintendent Adrienne A Harris announced today that Healthplex Inc Healthplex will pay a 2 million penalty to New York State for violations of DFS cybersecurity regulation 23 NYCRR Part 500 As part of the settlement Healthplex has agreed to hire an independent auditor to examine the adequacy of Healthplexs multifactor authentication MFA controls ppHealth insurance providers are entrusted with highly sensitive personal information and health data of policyholders said Superintendent Harris The Departments nationleading cybersecurity regulation requires insurers and other regulated entities to maintain and implement robust cybersecurity policies so the private information New Yorkers entrust to them is protected Healthplexs failure to adhere to these rules resulted in the exposure of the sensitive data of tens of thousands of consumers ppHealthplex is a licensed a provider of dental insurance management services In late 2021 a Healthplex customer service employee received and clicked on a phishing email which granted threat actors access to all of the consumer data in the employees email account The Departments investigation revealed that Healthplex had no data retention policy to limit the storage of emails in Microsoft Outlook As a result the nonpublic information NPI of tens of thousands of New Yorkers was vulnerable to exposure Notably Healthplex did not have MFA controls set up on its Microsoft Outlook 365 email environment These failures made it possible for the threat actors to gain access to troves of sensitive consumer NPI including health data ppThe Departments investigation also revealed that Healthplex waited over four months well beyond the 72hour reporting requirement in the cybersecurity regulation from initially learning of the phishing incident and subsequent data exposure before notifying the Department This notice requirement is a critical safeguard that enables the Department to carry out its consumer protection function ppThe Departments cybersecurity regulation has been in effect since March 2017 with an updated regulation becoming effective in November 2023 ppRead the Healthplex consent orderpp p
ppNew York State Department of Financial Services Superintendent Adrienne A Harris announced today that Healthplex Inc Healthplex will pay a 2 million penalty to New York State for violations of DFS cybersecurity regulation 23 NYCRR Part 500 As part of the settlement Healthplex has agreed to hire an independent auditor to examine the adequacy of Healthplexs multifactor authentication MFA controls ppHealth insurance providers are entrusted with highly sensitive personal information and health data of policyholders said Superintendent Harris The Departments nationleading cybersecurity regulation requires insurers and other regulated entities to maintain and implement robust cybersecurity policies so the private information New Yorkers entrust to them is protected Healthplexs failure to adhere to these rules resulted in the exposure of the sensitive data of tens of thousands of consumers ppHealthplex is a licensed a provider of dental insurance management services In late 2021 a Healthplex customer service employee received and clicked on a phishing email which granted threat actors access to all of the consumer data in the employees email account The Departments investigation revealed that Healthplex had no data retention policy to limit the storage of emails in Microsoft Outlook As a result the nonpublic information NPI of tens of thousands of New Yorkers was vulnerable to exposure Notably Healthplex did not have MFA controls set up on its Microsoft Outlook 365 email environment These failures made it possible for the threat actors to gain access to troves of sensitive consumer NPI including health data ppThe Departments investigation also revealed that Healthplex waited over four months well beyond the 72hour reporting requirement in the cybersecurity regulation from initially learning of the phishing incident and subsequent data exposure before notifying the Department This notice requirement is a critical safeguard that enables the Department to carry out its consumer protection function ppThe Departments cybersecurity regulation has been in effect since March 2017 with an updated regulation becoming effective in November 2023 ppRead the Healthplex consent orderpp p
