Attorney General James Secures $400,000 from Dental Insurance Provider for Failing to Protect Patient Data
New York Attorney General Letitia James today secured $400,000 from one of New York’s largest dental insurance providers, Healthplex, Inc. (Healthplex), for failing to properly protect the personal and medical information of New Yorkers. Healthplex, a Long Island-based company, had inadequate data security practices that made it susceptible to a data breach attack that compromised the personal and private information of 89,955 individuals, of which 63,922 were New York residents. As a result of this agreement, Healthplex has agreed to strengthen its data security practices.
“Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”
In late November 2021, an unknown individual sent a phishing email to a Healthplex employee, requesting the employee to enter their login credentials. On November 24, 2021, the hacker gained access to the employee’s account which contained over 12 years of emails. Some of the exposed emails contained sensitive customer enrollment information, including names, member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, and member portal usernames and passwords. The Office of the Attorney General’s investigation concluded that, by failing to implement multifactor authentication for remote email access, Healthplex failed to adopt reasonable data security practices to protect patients’ personal and health information.
As a result of today’s agreement, Healthplex has agreed to pay a $400,000 penalty and to adopt a series of procedures designed to strengthen their cybersecurity practices going forward, including:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
- Encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
- Implementing a reasonable email retention schedule for all employees’ email accounts;
- Maintaining reasonable password policies and procedures that require the use of complex passwords;
- Requiring the use of multifactor authentication for all accounts; and
- Maintaining a reasonable penetrating testing program designed to identify, assess, and remediate security vulnerabilities.
Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. In November, Attorney General James secured $450,000 from U.S. Radiology for failing to protect patient data. In October, Attorney General James secured $350,000 from Long Island health care company Personal Touch for failing to secure the data of 300,000 New Yorkers. Also in October, Attorney General James and a multistate coalition secured $49.5 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. In May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices.
This matter was handled by Assistant Attorney General Marc Montgomery and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.