Healthplex, a Uniondale-based dental insurance provider, was ordered to pay $400,000 for failing to protect the personal information of nearly 90,000 people whose data was compromised in a breach two years ago.
New York State Attorney General Letitia James’ investigators found that a hacker was easily able to use an email phishing scam to access the network of Healthplex, one of the state’s largest dental insurers, because the company did not implement multifactor authentication for remote email access.
“Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands,” James said.
Authorities said that in November 2021, an unknown hacker sent a phishing email requesting the login credentials of a Healthplex employee, allowing the cybercriminal to access the employee’s email account containing sensitive customer enrollment information, including names, member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, and member portal usernames and passwords.
The company agreed to adopt reasonable data security practices to protect patients’ personal and health information in the future. The new measures include maintaining a comprehensive information security program to protect customer data, encrypting all personal information, and requiring the use of multifactor authentication for all accounts, among other measures.
A Healthpex representative was not immediately available for comment.