On August 14, 2025, the New York State Department of Financial Services (“NYDFS”) announced that it had reached a $2 million settlement with Healthplex, Inc., a licensed provider of dental insurance management services in the State of New York, for alleged cybersecurity violations.
According to NYDFS, Healthplex’s network was compromised in late 2021 when a customer service employee opened a phishing email that enabled threat actors to access all consumer data in the employee’s account, including the nonpublic information of tens of thousands of New Yorkers. An investigation conducted by NYDFS uncovered certain vulnerabilities in Healthplex’s cybersecurity program that, according to the NYDFS, violated the New York cybersecurity rules and regulations (“NYCRR”). The vulnerabilities include Healthplex’s failure to establish a data retention policy to limit the storage of emails on the network and its failure to set up multifactor authentication (“MFA”) controls on its email platform.. NYDFS also discovered that Healthplex waited more than four months to report the phishing incident to the Department despite the NYCRR requirement that companies report such incidents within 72 hours.
In addition to the monetary penalty, Healthplex agreed to strengthen its cybersecurity program, including its MFA controls, with the help of an independent auditor. The NYDFS also reported that the $2 million monetary penalty that was imposed reflects Healthplex’s cooperation with NYDFS investigators and its ongoing efforts to remediate the shortcomings identified by the Department.