NYAG Settles with Healthplex for $400,000

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

On December 8, 2023, New York Attorney General Leticia James penned her approval to an Assurance of Discontinuance with third party dental administrator Healthplex, settling the enforcement action for $400,000 and a litany of data privacy and security compliance requirements.

The AG’s investigation commenced following a November 24, 2021, successful phishing attack against Healthplex. The threat actor gained access to an email account of a Healthplex employee containing over twelve years of email, including enrollment information of insureds.

The AG’s investigation learned that the threat actor had access to the employee’s account for less than one day, but during that time, may have had access to member data, including personal information. Healthplex’s O365 account did not enable multi-factor authentication at the time, and the logs were unable to determine which emails were accessed by the threat actor. Healthplex notified individuals whose information was included in the email account.

Following the incident, Healthplex enabled multi-factor authentication, upgraded its O365 license for enhanced logging capabilities, provided additional security training for employees and implemented a 90-day email retention policy.

Despite implementing these sound measures in response to the incident, note that the NYAG cites these measures as lacking before the incident, and in essence, relies on them for the settlement with Healthplex, along with another finding that Healthplex’s data security assessments did not identify those very vulnerabilities.

As with other regulatory settlements, the Assurance of Discontinuance is worthy of a read by those responsible for compliance in an organization. If there is a security incident, and an organization responds to the incident with security measures that may have prevented it or are sound measures that could have been implemented before the incident, regulators will take note. In this case, the security measures of implementing MFA, data retention procedures, employee education, and enhanced logging for O365 are measures that organizations may wish to implement now if they are not already in place.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide