DataBreaches is generally a great fan of state attorneys general taking enforcement action stemming from data breaches where the security was really subpar or the entity did not notify those affected in a reasonable amount of time. But two enforcement actions in New York have me wondering if the state has been a bit unfair and if we need some kind of civil double jeopardy protection or something.
In 2021, Healthplex fell prey to a phishing attack that compromised an employee’s email account. The incident was disclosed at the time, and it affected almost 90,000 people because that employee’s email account had 12 years’ worth of emails in it.
The New York Attorney General’s Office (NYAG) started an investigation under Executive Law § 63(12), General Business Law (“GBL”) §§349, 899-aa, and 899-bb, and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, 123 Stat. 226.
DataBreaches notes that the attacker only had access for a matter of hours because Healthplex discovered the attack quickly and stopped it. But because of the logging system in place at the time, Healthplex was unable to determine what emails were accessed and if any were exfiltrated.
The state ultimately took enforcement action against Healthplex for failure to have MFA in place across all Office 365 logins, failure to have a data retention policy in place for email, and because its data security assessment hadn’t identified the vulnerability above. With all that Healthplex had done right or well in security, these problems wound up costing them a $400,000.00 monetary penalty to settle the charges and to make a number of improvements in security.
The settlement was announced in December 2023.
And Now More?
Fast forward to August 2025, when the New York Department of Financial Services (NYDFS) announces its own enforcement action and settlement with Healthplex stemming from the same breach. The NYDFS’s investigation was conducted under the state’s cybersecurity regulation (23 NYCRR Part 500). Their investigation found that Healthplex had violated that state regulation by not having MFA in place, by not having policies and procedures for the secure disposal of nonpublic information, and that requires covered entities to notify the superintendent as promptly as possible, but in no event later that 72 hours after a determination has been made that reportable cybersecurity incident occurred. They also concluded that Healthplex had violated the requirement that covered entities certify that they are in compliance with the requirements of the cybersecurity regulation. Although Healthplex had filed those certifications every year, the state concluded that their certifications were deficient because they hadn’t been in compliance due to the absence of MFA and policies and procedures for secure disposal of nonpublic information.
So although they are citing different regulations, the state again faulted and penalized Healthplex over the absence of MFA and for not having retention and disposal policies and procedures.
And whereas NYAG settled its charges with Healthplex for $400,000.00 and a commitment to make certain improvements, somehow Healthplex wound up agreeing to pay NYDFS $2,000,000.00 and to hire an auditor to audit their MFA and compliance with security requirements. DataBreaches also noted a clause in the consent order bars Healthplex from either seeking nor accepting, directly or indirectly, reimbursement or indemnification with respect to payment of the penalty amount, including but not limited to, payment made pursuant to any insurance policy.
Was This Fair?
Why did NYAG settle with Healthplex for $400,000 plus corrective steps, whereas NYDFS settled for $2 million for violations that were already addressed in NYAG’s findings and settlement? Is there any equivalent of double jeopardy when it comes to state agencies and enforcement of cybersecurity and breach-related laws or regulations? If not, should there be?
Did Healthplex have a serious flaw by not having MFA for its email? In DataBreaches’ opinion, yes. It also had a serious flaw by storing so much old data in an employee’s email account instead of encrypting it and storing it elsewhere. And yes, it should have notified NYDFS within 72 hours of determining it had a reportable breach.
But does that justify putting Healthplex through the time and cost of two separate investigations and attendant costs and then $2.4 million in monetary penalties? DataBreaches believes the monetary penalties in the cumulative were excessive.
Did the two agencies know of each other’s investigation and intentions? Somewhat curiously, the NYAG settlement in 2023 was signed by the CEO of Healthplex, Inc. with an Illinois address, while the 2025 NYDFS settlement was signed by a different CEO of Healthplex, Inc. with a New York address. At any point, did Healthplex say to NYDFS, “Hey, this seems a bit excessive? We already agreed to pay $400,000 for two of these failures and to make improvements, so why are we going through this again?”
Do any of those affected even get a dime of the monetary penalties or does all the money go to the state? As far as DataBreaches knows, it all went to the state.
DataBreaches emailed both New York state agencies and Healthplex, to request their comments about why there were two investigations and cases instead of one consolidated case, and to ask Healthplex whether they felt what happened to them was unfair.
None of the parties have replied by publication.