Privacy & Information Security Law Blog

On August 14, 2025, the New York Department of Financial Services (“NYDFS”) announced a settlement with dental insurance management services provider, Healthplex, following an investigation conducted in the wake of a 2021 data breach that revealed alleged violations of the NYDFS Cybersecurity Regulation (the “Cybersecurity Regulation”). (The Cybersecurity Regulation has been in effect since March 2017 and was updated in November 2023.) The data breach, which was caused by a phishing attack, affected the personal data of tens of thousands of New York residents’ names, addresses, dates of birth, Social Security numbers, financial information, driver’s license numbers, and health data.

As part of the settlement, Healthplex agreed to pay a $2 million penalty to New York State and to hire an independent auditor to examine the company’s multi-factor authentication (MFA) security controls.

According to the final consent order, the NYDFS alleged that at the time of the company’s 2021 data security incident, Healthplex did not have an adequate data retention policy in place, nor MFA settings enabled for access to the company’s internal network from an external network, as required by the Cybersecurity Regulation. The consent order states that the company also failed to provide timely notice to the NYDFS within 72 hours after determining that a reportable cybersecurity event occurred (and instead waited over four months to notify the regulator). Further, while Healthplex timely certified compliance with the Cybersecurity Regulation for the 2018-2021 calendar years, the NYDFS stated that these certifications were improper in light of the foregoing.

Among other obligations, in addition to the $2 million penalty, the consent order requires Healthplex to hire a third-party auditor within 60 days of the order to conduct an audit of certain of its MFA controls related to integrated infrastructures and shared systems. Healthplex must remediate any material issues discovered in the MFA audit within a reasonable timeframe agreed to by the NYDFS.

The consent order drives home the costly risks of noncompliance with the Cybersecurity Regulation. Covered entities should take the following steps to avoid a similar enforcement action:

1. Enforce robust MFA controls, especially after system upgrades or transitions.

1. The Cybersecurity Regulation requires covered entities to enable MFA for any user accessing internal networks from external sources.
2. Healthplex failed to enforce the implementation of MFA after the company migrated to Microsoft 365, leaving systems vulnerable.

2. Establish and enforce data retention and secure data disposal policies and procedures.

1. The Cybersecurity Regulation requires covered entities to develop, document and implement cybersecurity policies and procedures that address, in relevant part, data retention and the secure disposal of nonpublic information (NPI) that is no longer necessary for business purposes.
2. Healthplex lacked a data retention policy, resulting in the retention of over 100,000 emails containing health data and other NPI that were accessible to the threat actor.

3. Ensure your organization’s incident response plan requires notification of a data breach to the NYDFS within 72 hours of discovery.

1. The Cybersecurity Regulation requires notification to the NYDFS via an electronic form “as promptly as possible” but no later than 72 hours after determining an incident has occurred (at the covered entity, its affiliate, or a third-party service provider).
2. This timeline is much shorter than many state data breach notification laws, so it is important to ensure relevant personnel are aware of this notification deadline.
3. The NYDFS in its press release about the Healthplex consent order noted that the company “waited over four months, well beyond the 72-hour reporting requirement,” emphasizing that the notice requirement is “a critical safeguard that enables the Department to carry out its consumer protection function.”

4. Ensure the accuracy of annual compliance certifications.

1. The Cybersecurity Regulation requires covered entities to certify compliance with the Cybersecurity Regulation in the past calendar year. The certification must be based upon data and documentation “sufficient to accurately determine and demonstrate such material compliance, including, to the extent necessary, documentation of officers, employees, representatives, outside vendors and other individuals or entities, as well as other documentation, whether in the form of reports, certifications, schedules or otherwise.”
2. Involve legal, compliance, and relevant business functions (e.g., InfoSec, IT) in the preparation of the covered entity’s compliance certification, to ensure accuracy.
3. Here, the NYDFS alleged that Healthplex’s compliance certification for the 2018-2021 calendar years was inaccurate given the company’s 2021 data breach.