New York Fines Dental Insurer $400K Over Data Breach

New York Attorney General Letitia James today secured $400,000 from dental insurance provider Healthplex, Inc. for failing to properly protect the personal and medical information of New Yorkers.

Healthplex, a Long Island-based company, had inadequate data security practices that made it susceptible to a data breach attack that compromised the personal and private information of 89,955 individuals, of which 63,922 were New York residents.

In addition to the financial penalty, Healthplex has agreed to strengthen its data security practices, according to the settlement.

According to the state, in late November 2021, an unknown individual sent a phishing email to a Healthplex employee, requesting the employee to enter login credentials. On November 24, 2021, the hacker gained access to the employee’s account which contained more than 12 years of emails. Some of the exposed emails contained sensitive customer enrollment information, including names, member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, and member portal usernames and passwords.

The attorney general’s investigation concluded that, by failing to implement multifactor authentication for remote email access, Healthplex failed to adopt reasonable data security practices to protect patients’ personal and health information.

This agreement follows others by Attorney General James holding companies accountable for their data security practices. Her office has reached similar agreements with U.S. Radiology ($450,000), health care firm Personal Touch ($350,000), and cloud company Blackbaud ($49.5 million).

In April, James released a data security guide to help companies strengthen their data security practices.

Topics Cyber Carriers New York Data Driven