Dental Plan Administrator Fined $400K for Phishing Breach

New York State regulators have smacked one of the largest dental administrators in the state with a $400,000 fine for a 2021 incident in which an attacker gained access to an employee email account containing 12 years’ worth of messages, including many holding sensitive member information.

See Also: Securing Your Business Begins with Password Security

About 130,000 emails were compromised and 90,000 individuals affected by the incident, including nearly 64,000 New Yorkers. Healthplex reported the incident as a HIPAA breach involving email to federal regulators in April 2022.

The New York state attorney general’s office settlement signed on Dec. 7 with Healthplex also requires the Long Island company to take a number of corrective actions.

They include implementing a data retention policy to dispose of information no longer needed for business purposes, using multifactor authentication, encrypting members’ private information, and having a CISO that reports regularly to the company’s CEO and annually to its board of directors.

The New York state attorney general is among the most aggressive of regulators across all 50 American states in enforcing HIPAA violations. “Federal and state enforcement of health information privacy laws is increasing exponentially due to the increased number of breaches and persons affected,” said regulatory attorney Paul Hales of the Hales Law Group.

“I expect 2024 to bring significantly higher levels of enforcement – not only by government agencies but also by private plaintiffs,” he said.

A settlement document in the case says that in late November 2021, an unknown attacker sent a phishing email to the email account of a Healthplex employee who had worked at the company for more than 20 years.

Investigation Findings

The phishing email contained a link directing the recipient to a credential harvesting website where users were instructed to enter a username and password to view a PDF file. The attacker obtained the login credentials to the email account when the employee took the phishing bait.

Two days after the attacker had sent the email, the hacker accessed the Healthplex employee’s account, which contained over 12 years of emails, including some containing plan members’ enrollment information.

Forensic evidence showed that the attacker’s unauthorized access to the account began on Nov. 24, 2021, and lasted for several hours, until Healthplex became aware of unusual activity and terminated the hacker’s access. Healthplex took notice of the suspicious activity when employees reported phishing emails sent by the compromised employee email account.

While the attacker had access to the compromised email account for less than one day, that account was found to contain emails and attachments dating between May 7, 2009, and Nov. 24, 2021.

Some of the emails contained dental plan member information, such as first and last name in combination with other data identifiers such as credit card numbers, banking information, Social Security number, and driver’s license number.

Following the incident, Healthplex took a number of remedial actions, regulators said. It began requiring multifactor authentication to access the Office 365 web interface, imposed a 90-day email retention policy and mandated additional security training on phishing for employees.

The settlement document says that Healthplex had a CISO “prior” to the incident but does not indicate if there was a CISO in place at the time of the phishing attack.

Healthplex did not immediately respond to Information Security Media Group’s request for comment on the incident and the settlement.

NY state’s settlement in the Healthplex case involving a phishing breach comes right on the heels of federal regulators taking their first HIPAA enforcement action in a separate breach case that also involved phishing (see: Feds Levy First-Ever HIPAA Fine for Phishing Breach).

Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a $480,000 financial settlement and corrective action with Louisiana-based Lafourche Medical Group, an urgent care clinic. That enforcement action resolved the agency’s investigation into an email phishing breach reported in 2021 that compromised the electronic protected health information of nearly 35,000 individuals.

Entities must have well planned and implemented data retention policies and procedures, including email that contains protected health information, experts advise.

“All organizations should have a firm email destruction policy established with advice of legal counsel to avoid the time and expense of producing or searching through emails in response to a discovery request,” Hales said.

“Emails that relate to litigation or administrative actions must be preserved,” he added.