Healthplex, a Uniondale-based dental insurance provider, has agreed to pay $400,000 for a 2021 data breach, according to a statement from the New York Attorney General’s office.
The AG’s office said Healthplex had inadequate data security practices that made it susceptible to the data breach that compromised the personal information of 89,955 people, which included 63,922 New York residents.
After a Healthplex employee fell victim to a phishing email in Nov. 2021, a hacker gained access to the employee’s account which contained over 12 years of emails, according to the AG’s office. Some of the emails contained sensitive customer enrollment information, including names, member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, and member portal usernames and passwords, according to the statement.
“Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” Attorney General Letita James said in the statement. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”
As a result of the agreement with the AG’s office, Healthplex, which is headquartered at 333 Earle Ovington Blvd., has agreed to pay a $400,000 penalty and adopt a series of procedures designed to strengthen their cybersecurity practices going forward. The company agreed to maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information; encrypt all personal information; implement a reasonable email retention schedule for all employees’ email accounts; maintain reasonable password policies and procedures that require the use of complex passwords; require the use of multifactor authentication for all accounts; and maintain a reasonable penetrating testing program designed to identify, assess, and remediate security vulnerabilities, according to the AG’s office.
David Winzelberg
Source link
