There is an update to a phishing incident in 2021 that impacted more than 89,000 people with Healthplex dental insurance. DataBreaches notes that the NYDFS settlement announced below is not the first settlement stemming from this incident. In December 2023, the NY Attorney General’s Office announced a $400,000 settlement with Healthplex. Both the 2023 and 2025 cases stem from the same incident and both faulted Healthplex for not having multifactor authentication in place, although the NYDFS action also highlighted the dental insurer’s failure to have data retention policies in place, resulting in the employee’s email account storing 12 years of emails with personal and protected health information.
One breach. Two state enforcement actions. There’s probably some lesson to be learned in there if it hasn’t been learned already.
August 14, 2025
New York State Department of Financial Services Superintendent Adrienne A. Harris announced today that Healthplex, Inc. (Healthplex) will pay a $2 million penalty to New York State for violations of DFS’s cybersecurity regulation (23 NYCRR Part 500). As part of the settlement, Healthplex has agreed to hire an independent auditor to examine the adequacy of Healthplex’s multi-factor authentication (MFA) controls.
“Health insurance providers are entrusted with highly sensitive personal information and health data of policyholders,” said Superintendent Harris. “The Department’s nation-leading cybersecurity regulation requires insurers and other regulated entities to maintain and implement robust cybersecurity policies, so the private information New Yorkers entrust to them is protected. Healthplex’s failure to adhere to these rules resulted in the exposure of the sensitive data of tens of thousands of consumers.”
Healthplex is a licensed a provider of dental insurance management services. In late 2021, a Healthplex customer service employee received and clicked on a phishing email which granted threat actors access to all of the consumer data in the employee’s email account. The Department’s investigation revealed that Healthplex had no data retention policy to limit the storage of emails in Microsoft Outlook. As a result, the nonpublic information (NPI) of tens of thousands of New Yorkers was vulnerable to exposure. Notably, Healthplex did not have MFA controls set up on its Microsoft Outlook 365 email environment. These failures made it possible for the threat actors to gain access to troves of sensitive consumer NPI, including health data.
The Department’s investigation also revealed that Healthplex waited over four months, well beyond the 72-hour reporting requirement in the cybersecurity regulation, from initially learning of the phishing incident and subsequent data exposure before notifying the Department. This notice requirement is a critical safeguard that enables the Department to carry out its consumer protection function.
The Department’s cybersecurity regulation has been in effect since March 2017, with an updated regulation becoming effective in November 2023.
Read the Healthplex consent order here.
###