A phishing email, a missing security layer, and months of silence have cost a New York insurer $2 million.
Superintendent Adrienne A. Harris announced a settlement with Healthplex, Inc. after a state investigation revealed serious cybersecurity lapses that exposed the sensitive data of tens of thousands of New Yorkers.
What went wrong
The issue started in late 2021 when a Healthplex customer service employee clicked on a phishing email. That one click gave hackers access to a trove of private information stored in the employee’s email account — including personal and health data.
Investigators found that Healthplex had no policy to limit how long emails were stored in Outlook, and worse, the company hadn’t activated multi-factor authentication (MFA) for its email system.
The Department of Financial Services (DFS) says those two failures left customers’ nonpublic information wide open.
Delayed reporting made
Under New York’s cybersecurity regulation, companies must report data breaches within 72 hours. But DFS says Healthplex waited over four months to notify the state.
That delay violated a key part of the law, which is designed to protect consumers and allow regulators to act quickly in response to security threats.
As part of the settlement, Healthplex will pay the $2 million fine and bring in an independent auditor to evaluate its MFA controls.
“Health insurance providers are entrusted with highly sensitive personal information,” Harris said. “Healthplex’s failure to adhere to these rules resulted in the exposure of the sensitive data of tens of thousands of consumers.”
FingerLakes1.com is the region’s leading all-digital news publication. The company was founded in 1998 and has been keeping residents informed for more than two decades. Have a lead? Send it to [email protected].