Cyber Security fails can have painful financial consequences. In the US Healthplex settles suit and pays $2 million for cyber security breach
August 20, 2025 |
Data breaches often bring on multiple levels of pain and repeated expense. The initial data breach involves the affected company bringing in technical experts to figure out where the breach occurred and undertake remedial action. Often cyber attackers leave compromised or wrecked systems in their weight, requiring reprogramming. Then there is the expense of dealing with the regulator or regulators for a prolonged period. In Australia, the regulator moves slowly so the process can be excruciating for companies. To that extent the recent comments by Malcolm Turnbull that companies regard data breaches as the cost of doing business is a little glib and a major generalisation. That said his comments about complacency is spot on. In the United States the cost of data breaches include civil claims by governments, usually through Attorneys General and Government departments. Last week the Department of Financial Services settled a claim with Healthplex for $2 million arising out of a data breach which violated state cyber security regulation. The settlement requires Healthplex to hire an auditor to examine the multi factor authentication controls.
The statement by the Department of the Financial Services provides:
New York State Department of Financial Services?Superintendent Adrienne A. Harris announced today that Healthplex, Inc. (Healthplex) will pay a $2 million penalty to New York State for violations of DFS’s cybersecurity regulation (23 NYCRR Part 500). As part of the settlement, Healthplex has agreed to hire an independent auditor to examine the adequacy of Healthplex’s multi-factor authentication (MFA) controls.
“Health insurance providers are entrusted with highly sensitive personal information and health data of policyholders,” said Superintendent Harris. “The Department’s nation-leading cybersecurity regulation requires insurers and other regulated entities to maintain and implement robust cybersecurity policies, so the private information New Yorkers entrust to them is protected. Healthplex’s failure to adhere to these rules resulted in the exposure of the sensitive data of tens of thousands of consumers.”
Healthplex is a licensed a provider of dental insurance management services. In late 2021, a Healthplex customer service employee received and clicked on a phishing email which granted threat actors access to all of the consumer data in the employee’s email account. The Department’s investigation revealed that Healthplex had no data retention policy to limit the storage of emails in Microsoft Outlook. As a result, the nonpublic information (NPI) of tens of thousands of New Yorkers was vulnerable to exposure. Notably, Healthplex did not have MFA controls set up on its Microsoft Outlook 365 email environment. These failures made it possible for the threat actors to gain access to troves of sensitive consumer NPI, including health data.
The Department’s investigation also revealed that Healthplex waited over four months, well beyond the 72-hour reporting requirement in the cybersecurity regulation, from initially learning of the phishing incident and subsequent data exposure before notifying the Department. This notice requirement is a critical safeguard that enables the Department to carry out its consumer protection function.
The Department’s cybersecurity regulation has been in effect since March 2017, with an updated regulation becoming effective in November 2023.??