Delta Dental Agrees to $2.25 Million Settlement with NYDFS Over MOVEit Data Breach Response
Time 2 Minute Read
Categories: U.S. State Law, Cybersecurity, Enforcement

On April 30, 2026, the New York State Department of Financial Services (NYDFS) announced a $2.25 million settlement with Delta Dental Insurance Company, a licensed health insurer, and Delta Dental of New York, Inc., a licensed non-profit dental expense indemnity (together, “Delta Dental”), for violations of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500).

The settlement follows NYDFS’s investigation into Delta Dental’s response to a 2023 cybersecurity incident that exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer tool. Delta Dental reported that the unauthorized access to its MOVEit tool resulted in the theft of approximately 60,000 files containing patient information, such as names, addresses, Social Security numbers, government-issued identification numbers, financial account information, tax identification numbers, health insurance policy numbers and patient health information.

NYDFS alleged that Delta Dental’s “inadequate incident response policies and procedures allowed threat actors to exploit vulnerabilities to obtain unauthorized access to New Yorkers' personal information.” Specifically, NYDFS alleged that Delta Dental violated the Cybersecurity Regulation as follows:

  • Failure to Limit Data Retention: Delta Dental failed to implement data retention settings, policies, procedures, and controls designed to protect consumer data and the company’s IT systems. For example, Delta Dental lengthened its IT systems’ default retention settings and stored the exfiltrated files for longer than 30 days.
  • Delayed Notice to NYDFS: Despite becoming aware of the incident in June 2023 and determining consumer data was affected in July 2023, Delta Dental did not notify NYDFS of the incident until December 15, 2023. (The Cybersecurity Regulation requires covered entities to notify NYDFS within 72 hours of discovery of an incident.)
  • Lacked Incident Response Policies: NYDFS found that Delta Dental failed to implement and maintain a written policy addressing incident response, including a plan that sufficiently addressed the company’s reporting obligations to regulators.

NYDFS’s consent order was limited to a monetary penalty, with no further action taken by the regulator against Delta Dental.

Tags: Consent Order, Data Breach, New York, Personal Information
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page