Healthplex, one of the largest providers of dental health insurance programs in New York State, has agreed to a settlement with the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500).
Healthplex has agreed to pay a $2m financial penalty and take steps to improve its cybersecurity posture.
The company is owned by insurer UnitedHealth Group, and NYDFS said it failed to protect data with MFA, or multifactor authentication, (by failing to implement MFA for Office 365 email access from an external browser) and other issues related to a phishing breach that affected 90,000 people.
Apparently, it affected almost 90,000 people because that employee’s email account had a full 12 years’ worth of emails in it.
It’s the company’s second fine against Healthplex for the same breach.
General background
In 2021, Healthplex fell prey to a phishing attack that compromised an employee’s email account. The company reported the incident at the time, and (as noted above, it affected almost 90,000 people).
The New York Attorney General’s (AG’s) Office started an investigation under general business law sections as well as under Health Insurance Portability and Accountability Act (HIPAA).
The AG’s office announced its settlement with Healthplex in December 2023, saying the November 2021 hack resulted in a the hacker gaining access to that employee’s email account, with some of the exposed emails containing sensitive customer enrollment information, including names, member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, and member portal usernames and passwords.
The AG’s investigation cited the company’s failure to have MFA in place across all Office 365 logins, failure to have a data retention policy in place for email, and because its data security assessment hadn’t identified a vulnerability in its logging system at the time, which made it unable to determine what emails were accessed and if any were exfiltrated.
The company was fined $400,000.
MFA-specific background
UnitedHealth Group (UHG) acquired Healthplex in December 2020, about a year before the Healthplex phishing incident.
In 2023, UHG also acquired in 2023 IT services unit Change Healthcare, which was also about a year before Change Healthcare experienced a massive ransomware attack in February 2024 that the company said also involved threat actors accessing a Change Healthcare IT external-facing legacy system that lacked MFA.
“The department’s cybersecurity regulation requires insurers and other regulated organizations to maintain and implement robust cybersecurity policies, so the private information New Yorkers entrust to them is protected.”
Adrienne Harris, NYDFS Superintendent
MFA is now a standard best practice at the company, but at the time of the incident, UHG said that Change Healthcare had not fully transitioned security controls of all its legacy IT before the ransomware attackers accessed Change Healthcare’s IT environment.
In the current case brought by NYDFS, the agency noted that while Healthplex had MFA in place on its previous email environment, when it migrated to Office 365 earlier in 2021, it failed to ensure that the MFA function was completely operational for those accessing Office 365 from an external web browser, in violation of the state’s Part 500 cybersecurity regulations.
“Health insurance providers are entrusted with highly sensitive personal information and health data of policyholders,” said Adrienne Harris, NYDFS’s superintendent.
“The department’s cybersecurity regulation requires insurers and other regulated organizations to maintain and implement robust cybersecurity policies, so the private information New Yorkers entrust to them is protected,” she said. “Healthplex’s failure to adhere to these rules resulted in the exposure of the sensitive data of tens of thousands of consumers,” she added.
Again, all of this goes back to the same 2021 phishing incident and cybersecurity vulnerabilities.
In addition to the fine, under the settlement with NYDFS, Healthplex agreed to strengthen its security controls and undergo an audit to ensure its use of MFA complies with New York cyber regulations.
This audit must include an assessment of Healthplex’s MFA related to the integrated infrastructure in which the company’s business operates and shared systems that support Healthplex’s core business functions, such as Office 365, Azure cloud and its claims system.
GRIP Comment – Is this fair?
I can’t help but wonder if the state of New York (albeit through separate authorities) is charging the company twice under the same facts and circumstances, even if under different laws/regulations (as one is based on both state and federal law and the other on state regulation). There’s no double jeopardy principle embedded in civil law (as opposed to criminal), but there is res judicata, precluding any causes of action that arise from a previously litigated subject matter.
Both actions were settled without a judgment on the merits, though, and the specific terms of a settlement can affect res judicata‘s application. But is it fair? I’ll hedge a bit.
Certainly the state has an important duty here in making sure it holds a business in a highly regulated sector like healthcare accountable for a breach that affected tens of thousands of people. Pertinent to this case, businesses must show they are marrying up legacy IT controls and safely archiving many years’ worth of emails from one employee as bedrock cyber-hygiene principles. And pertinent to NYDFS rules specifically, businesses must implement MFA in a fulsome and timely way, maintain robust and up-to-date cybersecurity policies and processes, and abide by strict reporting requirements.
NYDFS notes that its investigation revealed that Healthplex waited over four months, well beyond the state’s 72-hour reporting requirement in the cybersecurity regulation, from initially learning of the phishing incident and subsequent data exposure before notifying the Department. As Superintendent Adrienne Harris notes in her agency’s press release, this notice requirement is a critical safeguard that enables the agency to carry out its consumer protection function.
NYDFS likely saw a need to impose its own compliance and audit requirements (plus a fine) to ensure safeguards were in place to protect New York consumers going forward. Its set of cybersecurity requirements collectively represent one of the most stringent cybersecurity regulations in the US and have been adopted by other states as a model.
In a statement, a UHG spokesperson said, “protecting member privacy is a top priority for Healthplex. We’re pleased to have reached a resolution and are grateful for the New York State Department of Financial Services’ cooperation.”