Dental Insurer's Lack of Strong Data Retention Policy Prompts $2 Million Fine in NY
Dental insurance company Healthplex must pay a $2 million penalty for violating the New York State Department of Financial Services' (DFS) cybersecurity regulation, Superintendent Adrienne Harris announced Thursday. A DFS investigation showed Healthplex lacked an adequate data retention policy that would have limited the storage of emails, which resulted in exposure of consumer data during a breach in 2021.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
"The Cybersecurity Regulation places on all DFS-regulated entities ... an obligation to establish and maintain a cybersecurity program, based on a risk assessment and designed to protect the confidentiality, integrity, and availability of its Information Systems and [non-public information (NPI)] contained therein," and "also contains requirements to protect Covered Entities’ internal networks from threat actors seeking to access and exploit NPI," a consent order said.
But on April 8, 2022, Healthplex reported "that an employee’s email account was compromised" after the person clicked on a phishing email, resulting in "the NPI of tens of thousands of New York residents [being] accessible, including names, addresses, dates of birth, social security numbers, financial information, driver’s license numbers and personal health information." However, the insurance company was made aware of the cyber incident on Nov. 24, 2021.
An investigation revealed "Healthplex failed to have a data retention policy in place on its [Office 365] environment and that MFA was not enabled for Healthplex’s Outlook Web Access at the time the original phishing email was received," the order said. Additionally, "Healthplex failed to notify the Department of the Cyber Event within seventy-two hours," which is also a violation.
In addition to the monetary penalty, the company will "hire an independent auditor to examine the adequacy" of its "multi-factor authentication (MFA) controls," DFS said.
“Health insurance providers are entrusted with highly sensitive personal information and health data of policyholders ... [accordingly] insurers and other regulated entities [must] maintain and implement robust cybersecurity policies, so the private information New Yorkers entrust to them is protected. Healthplex’s failure to adhere to these rules resulted in the exposure of the sensitive data of tens of thousands of consumers."
Healthplex didn't respond to a request for comment.