NY AG Reaches $400K Settlement With Healthplex Over Data Breach

December 13, 2023 - New York Attorney General (NYAG) Letitia James reached a settlement with Healthplex, a large dental insurance provider, following a data breach that occurred in November 2021. Healthplex agreed to pay $400,000 to resolve the investigation.

According to the company’s original breach notice, issued in April 2022, Healthplex discovered that one of its employees had fallen victim to a phishing attack in November 2021 that resulted in unauthorized access to their email account.

Further information from the NYAG’s filing stated that the hacker gained access to more than 12 years of emails, some of which contained customer enrollment information.

“The attacker obtained the login credentials to the email account when the account owner, who had been employed by Healthplex for over 20 years, responded to phishing email and provided her login credentials,” the New York Attorney General’s Office alleged.

“The attacker was then able to gain access to the account by using the company’s recently deployed Office 365 web interface, which lacked multi-factor authentication at the time of the attack.”

The email account contained information pertaining to more than 85,000 individuals in total, including names, member ID numbers, credit card numbers, prescription drug names, Social Security numbers, usernames and passwords for the member portal, phone numbers, and driver’s license numbers.

At the time of notification, Healthplex provided impacted individuals with identity theft protection services and pledged to implement additional safeguards to prevent future incidents.

The NYAG launched an investigation and identified several areas where Healthplex’s practices did not appear to meet the requirements of New York’s data security and consumer protection laws. For example, the NYAG alleged that the company did not have an email retention policy in place, as emails in the account dated back to May 2009.

What’s more, James’ office alleged that Healthplex failed to employ multi-factor authentication across all Office 365 login vectors and failed to conduct data security assessments to identify vulnerabilities.

Healthplex admitted no wrongdoing but agreed to the $400,000 settlement to resolve the allegations. The settlement also stated that Healthplex would comply with HIPAA by maintaining reasonable security policies to safeguard protected health information.

The company agreed to encrypt member information, dispose of private information when there is no business reason to retain it, and maintain strong password policies and procedures.