A Long Island-based dental insurance provider has agreed to pay a $400,000 penalty after a 2021 data breach compromised the personal and private information of almost 90,000 individuals, more than 60,000 of them New York residents, the office of state Attorney General Letitia James announced Monday.
As a result of the agreement, James said not only will the provider, Healthplex Inc., headquartered at The Omni Building in Uniondale, pay the penalty, it also will “adopt a series of procedures” designed to strengthen its cybersecurity practices in the future.
“Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” James said in a statement Monday, adding: “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands.”
According to authorities, the breach stemmed from a so-called “phishing email” sent to a Healthplex employee in late November 2021.
As a result of that email, James said a hacker “gained access” to the employee’s account on Nov. 24, 2021. That account contained more than 12 years of emails, some of which resulted in the exposure of “sensitive customer enrollment information,” including names, member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card information, user names and passwords — and, even, Social Security numbers.
The breach compromised the private data of 89,955 individuals, 63,922 of them New York State residents, the Attorney General’s Office said.
A Healthplex company spokesperson could not be reached for comment Monday.
In addition to the penalty, James said Healthplex agreed to maintain a “comprehensive information security program” designed to protect confidentiality and private information and encrypt all personal information. It must also improve the security of its email retention, passwords and authentication procedures.