Healthplex, a notable dental health insurance program provider in New York, consented to settle with the New York Department of Financial Services (NYDFS) regarding alleged NYDFS Cybersecurity Regulation violations. Healthplex is going to pay $2 million as a financial penalty and implement measures to enhance its cybersecurity.
The Cybersecurity Regulation was introduced in 2017 and calls for all financial establishments within New York State to employ and keep a strong cybersecurity program. A few of the important requirements are performing risk assessments, controlling risks, employing security guidelines and procedures, multifactor authentication, and an incident response plan.
Healthplex is a certified company offering dental insurance management services and should, hence, be Cybersecurity Regulation compliant. NYDFS started a compliance investigation after the report submitted by Healthplex regarding a cybersecurity incident on April 8, 2022. Healthplex found out about the incident on November 24, 2021, because an associate’s account was used to send a suspicious email to workers.
The investigation revealed that an account associate from customer service replied to a phishing email on November 22 or 23, 2021. The phishing email asked for Office 365 email login information to get a fax message. After providing the credentials, the threat actor got access to the Office 365 account and used it to send other phishing emails. The associate account contained the protected health information (PHI) of 89,955 persons.
The NYDFS investigation showed that Healthplex had no data retention policy that restricted the data saved in email accounts, violating § 500.13 of the Cybersecurity Regulation. The employee had been with the company for roughly 20 years, and the account stored over 100,000 emails. Additionally, there was no multifactor authentication (MFA) used for the Office 365 email environment; thus, a breached password allowed access to the account along with the sensitive and nonpublic information of countless individuals.
Healthplex had implemented MFA for its email environment; nevertheless, it did not ensure that MFA was fully functional when it transferred to Office 365 at the beginning of the year. Because the attacker obtained the password in the phishing attack, he could access all the contents of the account through a regular web browser. Cybersecurity Regulation § 500.12(b) requires the implementation of MFA for remote access to the covered entity’s data systems and third-party apps.
The needed cybersecurity program needs to ensure that a covered entity can report cybersecurity incidents immediately. The Superintendent should be informed within 72 hours of discovering a cybersecurity incident. Although the event was discovered on November 24, 2021, the Superintendent was informed only on April 8, 2022, violating Cybersecurity Regulation § 500.17(a). Healthplex had claimed that it complied with the Cybersecurity Regulation for 2021; however, the investigation showed that it was not the case, violating § 500.17(b). The absence of guidelines for safe data disposal regularly violates Cybersecurity Regulation § 500.13.
Besides the financial penalty, Healthplex consented to reinforce its cybersecurity settings to ensure it is compliant with the Cybersecurity Regulation and will employ a third-party auditor to audit its business infrastructure’s MFA controls and its shared systems supporting its primary business capabilities.
This is not Healthplex’s first financial penalty over a phishing attack. In 2023, Healthplex paid the New York Attorney General a $400,000 financial penalty to settle alleged violations of HIPAA and state information security and consumer protection legislation.