On December 8, 2023, New York Attorney General Leticia James penned her approval to an Assurance of Discontinuance with third party dental administrator Healthplex, settling the enforcement action for $400,000 and a litany of data privacy and security compliance requirements.

The AG’s investigation commenced following a November 24, 2021, successful phishing attack against Healthplex. The threat actor gained access to an email account of a Healthplex employee containing over twelve years of email, including enrollment information of insureds.

The AG’s investigation learned that the threat actor had access to the employee’s account for less than one day, but during that time, may have had access to member data, including personal information. Healthplex’s O365 account did not enable multi-factor authentication at the time, and the logs were unable to determine which emails were accessed by the threat actor. Healthplex notified individuals whose information was included in the email account.

Following the incident, Healthplex enabled multi-factor authentication, upgraded its O365 license for enhanced logging capabilities, provided additional security training for employees and implemented a 90-day email retention policy.

Despite implementing these sound measures in response to the incident, note that the NYAG cites these measures as lacking before the incident, and in essence, relies on them for the settlement with Healthplex, along with another finding that Healthplex’s data security assessments did not identify those very vulnerabilities.

As with other regulatory settlements, the Assurance of Discontinuance is worthy of a read by those responsible for compliance in an organization. If there is a security incident, and an organization responds to the incident with security measures that may have prevented it or are sound measures that could have been implemented before the incident, regulators will take note. In this case, the security measures of implementing MFA, data retention procedures, employee education, and enhanced logging for O365 are measures that organizations may wish to implement now if they are not already in place.