On April 30, 2026, the New York State Department of Financial Services (“NYDFS”) announced that a $2.25 million settlement was reached with Delta Dental Insurance Company (“DDIC”) and Delta Dental of New York, Inc. (“DDNY”) regarding violations of the State Cybersecurity Regulation (23 NYCRR Part 500). The monetary penalty was imposed after a NYDFS investigation determined that inadequate incident response policies and procedures may have contributed to a 2023 data breach that compromised the personal data of thousands of New Yorkers.
According to the Consent Order, DDIC and DDNY (the “Companies”) used the MOVEit Transfer tool to move files to and from their affiliates, customers, business partners, and employees, including files that contained sensitive nonpublic information. On June 1, 2023, a cybersecurity affiliate of the Companies received an alert that suspicious activity had potentially occurred with the MOVEit tool – an alert that was allegedly received on the same day that Progress Software Corporation, which owns MOVEit, released a security advisory regarding a previously unknown vulnerability with the tool. The cybersecurity affiliate was also able to confirm the presence of malicious files on the Companies’ server, remove the files, and remediate the vulnerability that same day. An internal investigation into the incident uncovered evidence, on July 6, 2023, that threat actors had exploited the MOVEit vulnerability and gained access to files on the Companies’ server. On November 27, 2023, a forensic review of the incident confirmed that approximately 60,000 files were exfiltrated from the server between May 28 and May 30, 2023 – files that contained a variety of sensitive information, including insureds’ names, addresses, social security numbers, driver’s license numbers, health insurance policy numbers, and patient health information. DDIC and DDNY were ultimately able to inform all affected consumers of the data breach by March 2024.
According to the NYDFS, the Companies did not inform the NYDFS of the data breach until December 15, 2023, in violation of Section 500.17 of the Cybersecurity Regulation that requires regulated entities to notify the Superintendent of cybersecurity events within 72 hours of their discovery. NYDFS investigators also uncovered additional violations involving deficiencies in the Companies’ cybersecurity program, including policies that failed to address the retention and secure disposal of consumers’ nonpublic information (Section 500.13); no written incident response policy (Section 500.3); and policies that failed to adequately address the Companies’ regulatory reporting obligations (Section 500.16).
As part of the settlement, the Companies agreed to pay the penalty within 10 days. The NYDFS indicated that the penalty reflects the Companies’ cooperation with NYDFS investigators and the gravity of the violations. The Department also acknowledged the Companies’ prompt investigation of the cybersecurity incident, and their continued remediation of identified deficiencies.
NYDFS Press Release | Consent Order