NY State Imposes $2M Fine on Dental Plan Company for Phishing Breach

Data Privacy,
Data Security,
Healthcare

Healthplex, a UnitedHealth Group Subsidiary, Fined for Lacking MFA on Compromised Email Account

Marianne Kolbasuk McGee
(HealthInfoSec) •
August 18, 2025

NY State Fines Dental Plan Firm $2M in Phishing Breach
New York State fined a dental plan administrator owned by insurer UnitedHealth Group $2 million for failing to protect data with multifactor authentication. (Image: Healthplex)

The New York State government has imposed a $2 million penalty on Healthplex, a dental plan administrator under UnitedHealth Group. This fine is a result of failures to implement multifactor authentication (MFA) and address a series of cybersecurity lapses linked to a phishing breach affecting approximately 90,000 individuals. Notably, this marks the second fine against Healthplex related to this breach.

The New York State Department of Financial Services announced the latest enforcement action, indicating that Healthplex failed to adhere to state cybersecurity regulations, specifically by not implementing MFA for Office 365 email access via external browsers.

The recent legal settlement between the state and Healthplex is part of ongoing scrutiny following a December 2023 investigation, during which the New York attorney general previously fined Healthplex $400,000 for similar violations stemming from the same phishing incident.

The breach reportedly began when a Healthplex customer service employee clicked a malicious link in a phishing email, granting cybercriminals access to sensitive consumer data stored in the employee’s email account. The compromised information included non-public details such as names, addresses, birth dates, Social Security numbers, and financial records.

According to state representatives, while Healthplex had MFA in place in its previous email system, the transition to Office 365 earlier in 2021 was not accompanied by full operational compliance for MFA on external web browser access, constituting a violation of state cybersecurity mandates.

The investigation also revealed that Healthplex did not have an adequate data retention policy to manage the storage of emails within Microsoft Outlook, further demonstrating deficiencies in its data management practices.

Adrienne Harris, superintendent of New York’s Department of Financial Services, emphasized that insurance providers are entrusted with highly sensitive personal information. The department’s regulations require such organizations to maintain stringent cybersecurity protocols to protect consumers’ private data.

MFA Shortcomings and Regulatory Action

UnitedHealth Group acquired Healthplex in December 2020, prior to the occurrence of this phishing incident. Similarly, UHG acquired Change Healthcare in 2023, which later experienced a significant ransomware attack in February 2024, highlighting ongoing vulnerabilities in legacy systems lacking MFA.

In response to the scrutiny, a spokesperson for UHG stated that safeguarding member privacy is a priority for Healthplex and acknowledged the resolution reached with state officials. However, UHG has not provided details regarding its approach to transitioning security practices for newly acquired entities.

Apart from the financial penalty, the settlement requires Healthplex to bolster its cybersecurity measures and undergo an audit to ensure compliance with New York cyber regulations regarding MFA. The audit will focus on assessing MFA utilization across Healthplex’s integrated business infrastructure, including Office 365, Azure cloud services, and claims processing systems.

Source link

Related Posts

RVTools Official Site Compromised to Distribute Bumblebee Malware via Trojan Installer

May 19, 2025
Malware / Supply Chain Attack

The official RVTools website has been compromised, delivering a tainted installer for the widely-used VMware environment reporting tool. In a statement on their site, the company announced, “Robware.net and RVTools.com are currently offline. We are working diligently to restore service and appreciate your patience. Please note that Robware.net and RVTools.com are the only authorized and supported sources for RVTools software. Avoid downloading RVTools from any other websites or sources.” This incident follows revelations from security researcher Aidan Leon, who discovered that the infected installer was being used to load a malicious DLL, identified as the Bumblebee malware loader. It remains unclear how long the compromised version of RVTools was available for download or how many users had installed it before the websites were taken offline. In the meantime, users are advised to verify…

Navigating the Overwhelmed Landscape: Insights from the 2025 Pentesting Report

In the recently published 2025 State of Pentesting Report, Pentera conducted a survey of 500 CISOs from global enterprises (200 based in the USA) to delve into their strategies, tactics, and tools for managing the flood of security alerts, persistent breaches, and escalating cyber risks. The results paint a nuanced picture of progress, obstacles, and evolving mindsets regarding security testing in enterprises.

Increased Tools, Enhanced Data, Yet Uncertain Protection

Over the past year, 45% of enterprises have broadened their security technology portfolios, with organizations now utilizing an average of 75 distinct security solutions. However, despite these additional layers of defense, 67% of U.S. enterprises faced a breach within the last 24 months. The proliferation of security tools significantly impacts day-to-day operations and the overall cyber resilience of organizations. The findings underscore a crucial observation: more security tools do not necessarily equate to better protection.