NYAG Settles with Healthplex for $400,000
Wednesday, December 20, 2023
NYAG Healthplex Data Privacy and Security Settlement
Print Mail Download i

On December 8, 2023, New York Attorney General Leticia James penned her approval to an Assurance of Discontinuance with third party dental administrator Healthplex, settling the enforcement action for $400,000 and a litany of data privacy and security compliance requirements.

The AG’s investigation commenced following a November 24, 2021, successful phishing attack against Healthplex. The threat actor gained access to an email account of a Healthplex employee containing over twelve years of email, including enrollment information of insureds.

The AG’s investigation learned that the threat actor had access to the employee’s account for less than one day, but during that time, may have had access to member data, including personal information. Healthplex’s O365 account did not enable multi-factor authentication at the time, and the logs were unable to determine which emails were accessed by the threat actor. Healthplex notified individuals whose information was included in the email account.

Following the incident, Healthplex enabled multi-factor authentication, upgraded its O365 license for enhanced logging capabilities, provided additional security training for employees and implemented a 90-day email retention policy.

Despite implementing these sound measures in response to the incident, note that the NYAG cites these measures as lacking before the incident, and in essence, relies on them for the settlement with Healthplex, along with another finding that Healthplex’s data security assessments did not identify those very vulnerabilities.

As with other regulatory settlements, the Assurance of Discontinuance is worthy of a read by those responsible for compliance in an organization. If there is a security incident, and an organization responds to the incident with security measures that may have prevented it or are sound measures that could have been implemented before the incident, regulators will take note. In this case, the security measures of implementing MFA, data retention procedures, employee education, and enhanced logging for O365 are measures that organizations may wish to implement now if they are not already in place.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

Department of Justice Criminal Division Announces Voluntary Self-Disclosure Pilot Program for Culpable Individuals
by: David E. Carney , Danielle H. Tangorre
FTC Votes to Finalize Rule Banning Non-Compete Agreements Nationwide
by: Ian T. Clarke-Fisher , Trevor L. Bradley
Cisco Releases Updates to Vulnerabilities in Firewall Platforms
by: Linn F. Freedman
USPTO Issues Guidance on Use of AI Based Tools
by: Daniel J. Lass
California Trap & Trace Class Actions on the Rise in the Age of Website Trackers
by: Kathryn M. Rattigan
Aid Package Signed by President Biden Includes Divestiture of TikTok Requirement
by: Linn F. Freedman
Privacy Tip #395 – GM Faces Class Action for Collecting + Disclosing Drivers’ Data Without Consent
by: Linn F. Freedman
AI, Government Contractors, and Employment Discrimination
by: Data Privacy & Cybersecurity Robinson Cole
Chicago’s Application of Parking Regulations Violates RLUIPA
by: Eden (Hunter) Yerby
The Department of Education Releases Significant Revisions to Title IX Regulations
by: Kathleen E. Dion , Seth B. Orkand

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins