New York Attorney General Letitia James secured $400,000 from Healthplex, Inc., a dental health insurance provider, for failing to properly protect the personal and medical information of New Yorkers. Healthplex, a Long Island-based company, had inadequate data security practices that made it susceptible to a data breach attack that compromised the personal and private information of 89,955 individuals, of which 63,922 were New York residents. As a result of this agreement, Healthplex has agreed to strengthen its data security practices.
In late November 2021, an unknown individual sent a phishing email to a Healthplex employee, requesting the employee to enter their login credentials. On November 24, 2021, the hacker gained access to the employee’s account which contained over 12 years of emails. Some of the exposed emails contained sensitive customer enrollment information, including names, member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, and member portal usernames and passwords. The AG’s Office’s investigation concluded that, by failing to implement multifactor authentication for remote email access, Healthplex failed to adopt reasonable data security practices to protect patients’ personal and health information.
As a result of the agreement, Healthplex has agreed to pay a $400,000 penalty and to adopt a series of procedures designed to strengthen their cybersecurity practices going forward, including:
- maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information
- encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere
- implementing a reasonable email retention schedule for all employees’ email accounts
- maintaining reasonable password policies and procedures that require the use of complex passwords
- requiring the use of multifactor authentication for all accounts
- maintaining a reasonable penetrating testing program designed to identify, assess, and remediate security vulnerabilities
“Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” James said. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”