• Home
  • cyber
  • Healthplex, Inc., Delta Dental Insurance Co. and Delta Dental of New York: NYDFS Ramps Up Health Care Cybersecurity Enforcement With $2.25 Million Settlement
cyber Cyber Attack

Healthplex, Inc., Delta Dental Insurance Co. and Delta Dental of New York: NYDFS Ramps Up Health Care Cybersecurity Enforcement With $2.25 Million Settlement

Mar 25, 2026 3 min read
Healthplex, Inc., Delta Dental Insurance Co. and Delta Dental of New York: NYDFS Ramps Up Health Care Cybersecurity Enforcement With $2.25 Million Settlement

NYDFS Strengthens Cybersecurity Enforcement with $2.25M Settlement and AI Scrutiny in Healthcare

The New York Department of Financial Services (NYDFS) has intensified its cybersecurity enforcement in the healthcare sector, finalizing a $2.25 million settlement with Delta Dental of New York and Delta Dental Insurance Co. on April 29, 2026. The resolution stems from a 2023 data breach involving a MOVEit file-transfer vulnerability, which exposed 60,000 files containing sensitive policyholder data, including Social Security numbers, financial details, and health records. Regulators found that Delta Dental failed to meet 23 NYCRR 500 requirements, including inadequate data disposal policies, delayed incident reporting (beyond the 72-hour window), and insufficient incident response plans.

This enforcement action follows a 2025 settlement with Healthplex, Inc., a dental insurance management firm, over a 2021 phishing attack linked to weak multi-factor authentication (MFA) implementation. Both cases highlight NYDFS’s focus on vendor oversight, MFA compliance, and data minimization areas where HIPAA alone may not suffice. The agency has made clear that third-party service providers will be held accountable for gaps in cybersecurity controls, even under pre-2025 regulations.

Separately, AI-driven healthcare tools face growing scrutiny. On March 25, 2026, the Electronic Frontier Foundation (EFF) sued the Centers for Medicare and Medicaid Services (CMS) under the Freedom of Information Act (FOIA), seeking records on the Medicare Wasteful and Inappropriate Service Reduction (WISeR) Model, an AI-powered prior authorization pilot. The lawsuit underscores concerns over transparency, safeguards, and vendor relationships in federal health programs as AI integration expands.

NYDFS’s latest regulations, fully effective as of November 2025, now mandate MFA for all system access, regardless of user location or data type, with limited exemptions for remote access, cloud applications handling nonpublic information, and elevated-privilege accounts. Covered entities must also maintain formal asset inventories, enforce data retention policies, and ensure timely breach notifications.

These developments signal that health insurers, managed care organizations, and their vendors operating in New York must prioritize proactive compliance, particularly in data disposal, incident response, and vendor risk management, to avoid regulatory penalties. The NYDFS continues to set a national benchmark for cybersecurity enforcement, with healthcare entities squarely in its crosshairs.

Source: https://www.crowell.com/en/insights/client-alerts/nydfs-ramps-up-health-care-cybersecurity-enforcement-with-dollar225-million-settlement

Healthplex, Inc. TPRM report: https://www.rankiteo.com/company/healthplex-inc-

Delta Dental Insurance Co. TPRM report: https://www.rankiteo.com/company/delta-dental-of-north-carolina

Delta Dental of New York TPRM report: https://www.rankiteo.com/company/deltadentalofnewjerseyandconnecticut

"id": "delheadel1778617475",
"linkid": "deltadentalofnewjerseyandconnecticut, healthplex-inc-, delta-dental-of-north-carolina",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Policyholders (number not '
                                              'specified)',
                        'industry': 'Healthcare',
                        'location': 'New York, USA',
                        'name': 'Delta Dental of New York',
                        'type': 'Health Insurance Company'},
                       {'customers_affected': 'Policyholders (number not '
                                              'specified)',
                        'industry': 'Healthcare',
                        'location': 'New York, USA',
                        'name': 'Delta Dental Insurance Co.',
                        'type': 'Health Insurance Company'}],
 'attack_vector': 'Exploited Vulnerability',
 'data_breach': {'number_of_records_exposed': '60,000 files',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Social Security numbers',
                                              'Financial details',
                                              'Health records']},
 'date_detected': '2023',
 'date_publicly_disclosed': '2026-04-29',
 'date_resolved': '2026-04-29',
 'description': 'The New York Department of Financial Services (NYDFS) '
                'finalized a $2.25 million settlement with Delta Dental of New '
                'York and Delta Dental Insurance Co. over a 2023 data breach '
                'involving a MOVEit file-transfer vulnerability, which exposed '
                '60,000 files containing sensitive policyholder data, '
                'including Social Security numbers, financial details, and '
                'health records. Regulators found failures in data disposal '
                'policies, delayed incident reporting, and insufficient '
                'incident response plans.',
 'impact': {'brand_reputation_impact': 'Likely negative impact due to '
                                       'regulatory action',
            'data_compromised': '60,000 files',
            'financial_loss': '$2.25 million (settlement)',
            'identity_theft_risk': 'High (Social Security numbers, financial '
                                   'details exposed)',
            'legal_liabilities': 'Regulatory fines and settlement',
            'operational_impact': 'Regulatory scrutiny, compliance failures',
            'payment_information_risk': 'High (financial details exposed)'},
 'investigation_status': 'Resolved (settlement finalized)',
 'lessons_learned': 'Healthcare entities must prioritize vendor oversight, MFA '
                    'compliance, data minimization, and timely incident '
                    'reporting to avoid regulatory penalties.',
 'post_incident_analysis': {'corrective_actions': ['Compliance with NYDFS '
                                                   'cybersecurity regulations',
                                                   'Implementation of MFA for '
                                                   'all system access',
                                                   'Enhanced vendor oversight',
                                                   'Improved data minimization '
                                                   'practices'],
                            'root_causes': ['Inadequate data disposal policies',
                                            'Delayed incident reporting',
                                            'Insufficient incident response '
                                            'plans',
                                            'Failure to meet 23 NYCRR 500 '
                                            'requirements']},
 'recommendations': ['Implement robust data disposal policies',
                     'Ensure timely incident reporting (within 72 hours)',
                     'Strengthen incident response plans',
                     'Enforce MFA for all system access',
                     'Maintain formal asset inventories',
                     'Enforce data retention policies',
                     'Improve vendor risk management'],
 'references': [{'source': 'New York Department of Financial Services (NYDFS)'},
                {'source': 'Electronic Frontier Foundation (EFF)'}],
 'regulatory_compliance': {'fines_imposed': '$2.25 million',
                           'legal_actions': 'Settlement with NYDFS',
                           'regulations_violated': ['23 NYCRR 500',
                                                    'HIPAA (implied)'],
                           'regulatory_notifications': 'Delayed (beyond '
                                                       '72-hour window)'},
 'response': {'communication_strategy': 'Delayed (beyond 72-hour window)',
              'incident_response_plan_activated': 'Insufficient (as per NYDFS '
                                                  'findings)'},
 'stakeholder_advisories': 'Health insurers, managed care organizations, and '
                           'vendors must prioritize proactive compliance with '
                           'NYDFS regulations.',
 'title': 'NYDFS $2.25M Settlement with Delta Dental Over MOVEit Data Breach',
 'type': 'Data Breach',
 'vulnerability_exploited': 'MOVEit file-transfer vulnerability'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.