Cybersecurity lapses at Healthplex lead to a $2 million penalty
In a recent announcement, Superintendent Adrienne A. Harris revealed a settlement with Healthplex, Inc., following an investigation into serious cybersecurity lapses at the health insurance provider. The settlement, totalling $2 million, includes a fine of the same amount and several measures to enhance Healthplex's cybersecurity practices.
The investigation, conducted by the Department of Financial Services (DFS), uncovered that these failures left customers' nonpublic information wide open. One of the key issues was Healthplex's failure to adhere to cybersecurity rules, which resulted in the exposure of the sensitive data of tens of thousands of New Yorkers.
At the heart of the issue was a phishing email that was clicked by a Healthplex customer service employee in late 2021. Hackers gained access to personal and health data stored in the employee's email account, as Healthplex had not activated multi-factor authentication (MFA) for its email system.
The settlement requires Healthplex to bring in an independent auditor to evaluate its MFA controls. This move is aimed at ensuring that Healthplex implements strong email security practices to prevent future data breaches.
The best practices for implementing MFA in email systems include using MFA wherever possible, choosing phishing-resistant MFA methods, prioritizing critical applications like email when deploying MFA, and providing user training and easy support to ensure smooth adoption across the organization.
The region's leading all-digital news publication, FingerLakes1.com, reported extensively on the cybersecurity lapses at Healthplex, Inc. Founded in 1998, FingerLakes1.com has been keeping residents informed for more than two decades. The free FingerLakes1.com App is available for iOS devices, and residents can sign up for FingerLakes1.com's Morning Edition to receive headlines each morning.
Superintendent Harris reiterated that health insurance providers are entrusted with highly sensitive personal information. She emphasized the importance of implementing strong cybersecurity measures to protect this information and prevent data breaches.
References:
- NIST Special Publication 800-63-3: Digital Identity Guidelines
- Verizon 2020 Data Breach Investigations Report
- Microsoft Security: Multi-factor Authentication
- Duo Security: Multi-factor Authentication Best Practices
- Fast Identity Online (FIDO) Alliance
