Dental insurance provider Healthplex must pay $400,000 to New York for failing to properly shield the sensitive data of nearly 90,000 members following a 2021 cyberattack, according to an assurance of discontinuance signed December 8 by the state's attorney general.
The New York-based dental insurance provider had inadequate data security protocols that made it vulnerable to a data break that exposed patient information, including names, birth dates, credit card numbers, bank account numbers, diagnoses, and prescribed medication. Information from 89,955 members, which included 63,922 from those living in New York, were compromised, according to the assurance from the Attorney General of the State of New York Bureau of Internet and Technology.
Under the terms of the agreement, Healthplex must also boost its security practices. The company must hire a chief information security officer who regularly meets with the company CEO and board in addition to implementing an information security program and encrypting member private information.
Also, the company agreed to other security measures, including maintaining a centralized logging system to monitor network activity and implementing a security system that includes mobile device management that allows for rules concerning accessing and sharing data, according to the agreement.
Furthermore, Healthplex agreed to maintain a penetration testing program that aims to identify and remediate security vulnerabilities within its computer network. The company must offer two years of identity theft protection at no charge to any members who are subsequently determined to have been affected by the data breach, according to the agreement.
In November 2021, an unknown person sent a phishing email to an employee at Healthplex requesting that the person enter their login credentials. The hacker then gained access to the employee’s account, which contained more than a dozen years of emails that contained personal information, including member names, banking information, Social Security numbers, insurance names, identification numbers, member portal usernames and passwords, and more, according to attorney general’s office.
After the attorney general’s office concluded its investigation, the state concluded that Healthplex failed to adopt appropriate data security practices to protect patient information by failing to implement multifactor authentication for accessing emails remotely, according to the assurance.
In 2019, Healthplex was acquired by MCNA Dental, one of the largest benefits providers for government-sponsored dental programs in the U.S. In May 2023, MCNA announced that it was hit by a cyberattack that may have exposed the sensitive data, including Social Security numbers, of nearly 9 million patients.
Together, MCNA and Healthplex serve 8.9 million Medicaid and Children’s Health Insurance Program patients in Texas, Florida, Iowa, Idaho, Louisiana, Nebraska, Arkansas, Utah, New York, and the Northeast.