Healthplex, a New York dental insurance provider owned by UnitedHealth, has agreed to pay a $2 million penalty to the New York Department of Financial Services (NYDFS) following a 2021 phishing attack that exposed tens of thousands of customer records. The settlement resolves alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500), which requires financial and insurance entities to implement strict safeguards, including multifactor authentication (MFA) and timely breach reporting.

The incident began in late November 2021 when a customer service employee clicked on a phishing email disguised as a fax message request and entered their Office 365 credentials. With that password, attackers gained full access to the inbox, which held more than 100,000 emails containing the personal and health information of between 76,000 and 89,955 individuals. Investigators later determined that MFA had not been fully deployed when Healthplex migrated to Office 365, and no data retention policy was in place to limit the exposure.

NYDFS said Healthplex also failed to notify regulators within the required 72-hour window, waiting until April 2022 to disclose the incident. Despite certifying compliance for 2021, the company was found in violation of multiple sections of the Cybersecurity Regulation, including requirements for MFA, breach reporting, and secure disposal of sensitive data.

Adrienne Harris, Superintendent of NYDFS, said the case underscores that “health insurance providers are entrusted with the highly sensitive personal information and health data of policyholders,” emphasizing the need for strong protections. A Healthplex spokesperson responded that “protecting member privacy is a top priority for Healthplex,” adding that the company is “pleased to have reached a resolution and are grateful for the New York State Department of Financial Services’ cooperation.”

Under the consent order, Healthplex must strengthen its cybersecurity controls and hire an independent third-party auditor to review MFA and other safeguards across its business systems. The company had already paid a separate $400,000 penalty in 2023 to settle related allegations with the New York Attorney General under HIPAA and state consumer protection laws.

This case adds to a growing list of security incidents affecting UnitedHealth subsidiaries, which have faced large-scale attacks in recent years, including the 2024 Change Healthcare breach that potentially impacted 190 million people.