noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Orange County, FL

Orange County Announces New Atrium Gallery Exhibition: “Dream Team” by[...]
U.S. Department of State

Condemning China Water Cannoning Filipino Fishers
Town of Gilbert, AZ

Arrest Update: Dec. 13, 2025 Shooting Investigation

Local News

New York State Department of Financial Services

08/14/2025 | Press release | Distributed by Public on 08/14/2025 08:21

Superintendent Adrienne A. Harris Secures $2 Million Cybersecurity Settlement with Healthplex, Inc.

Back To Newsroom

Superintendent Adrienne A. Harris Secures $2 Million Cybersecurity Settlement with Healthplex, Inc.

Healthplex's Cybersecurity Failures Enabled an Email Phishing Attack to Expose Customers' Sensitive Personal Data

August 14, 2025

New York State Department of Financial Services Superintendent Adrienne A. Harris announced today that Healthplex, Inc. (Healthplex) will pay a $2 million penalty to New York State for violations of DFS's cybersecurity regulation (23 NYCRR Part 500). As part of the settlement, Healthplex has agreed to hire an independent auditor to examine the adequacy of Healthplex's multi-factor authentication (MFA) controls.

"Health insurance providers are entrusted with highly sensitive personal information and health data of policyholders," said Superintendent Harris. "The Department's nation-leading cybersecurity regulation requires insurers and other regulated entities to maintain and implement robust cybersecurity policies, so the private information New Yorkers entrust to them is protected. Healthplex's failure to adhere to these rules resulted in the exposure of the sensitive data of tens of thousands of consumers."

Healthplex is a licensed a provider of dental insurance management services. In late 2021, a Healthplex customer service employee received and clicked on a phishing email which granted threat actors access to all of the consumer data in the employee's email account. The Department's investigation revealed that Healthplex had no data retention policy to limit the storage of emails in Microsoft Outlook. As a result, the nonpublic information (NPI) of tens of thousands of New Yorkers was vulnerable to exposure. Notably, Healthplex did not have MFA controls set up on its Microsoft Outlook 365 email environment. These failures made it possible for the threat actors to gain access to troves of sensitive consumer NPI, including health data.

The Department's investigation also revealed that Healthplex waited over four months, well beyond the 72-hour reporting requirement in the cybersecurity regulation, from initially learning of the phishing incident and subsequent data exposure before notifying the Department. This notice requirement is a critical safeguard that enables the Department to carry out its consumer protection function.

The Department's cybersecurity regulation has been in effect since March 2017, with an updated regulation becoming effective in November 2023.  

Read the Healthplex consent order here.

###

Contact the Press Office

(212) 709-1691

[email protected]

New York State Department of Financial Services published this content on August 14, 2025, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on August 14, 2025 at 14:21 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]

Back

View original format