You’ve Got Mail: NYDFS Enforcement Action Highlights Cybersecurity Risk of Over-Retention and Other Risks

On Aug. 14, 2025, the New York Department of Financial Services (NYDFS) issued a Consent Decree announcing that Healthplex, Inc. (Healthplex) has agreed to pay a $2 million fine, as a result of an investigation into a 2021 phishing attack that exposed the personal data of “tens of thousands of New York residents … including names, addresses, dates of birth, social security numbers, financial information, driver’s license numbers, and personal health information.”

The attack began when a Healthplex employee received a phishing email, asking them to enter their email log-in credentials to review an incoming fax message. The employee complied, resulting in the exposure of their email account with over 100,000 emails amassed over 20 years to a threat actor. The attack and subsequent investigation revealed numerous deficiencies with Healthplex’s cybersecurity program that violated the NYDFS Part 500 Cybersecurity Regulation (Part 500).

In addition to the penalty, Healthplex, a licensed provider of dental insurance management services, must take remediation steps to fully comply with Part 500, including conducting a mandatory audit of its multi-factor authentication (MFA) controls.

Key Failings Identified

The Consent Decree noted the following deficiencies with Healthplex’s cybersecurity program:

• Lack of MFA Controls: Healthplex migrated its employee email accounts to Office 365 in 2021. However, during the transition, it failed to ensure that MFA was enabled on Office 365’s web browser. As a result, after the employee fell for the phishing email, the threat actor easily gained access to the employee’s inbox through the Office 365 web browser without having to go through additional authentication protocols. The Consent Decree states that per NYDFS 500.12, a covered entity must currently implement MFA “for individuals accessing a Covered Entity’s internal network from an external network.”
• Data Retention: The employee who was the target of the phishing campaign had more than 100,000 emails in their inbox. NYDFS attributed this large number of messages to Healthplex’s failure to have a data retention policy, violating NYDFS 500.13(b), which requires a covered entity to “have policies and procedures for the secure disposal on a periodic basis of any nonpublic information … that is no longer necessary for business operations or for other legitimate business purposes of the covered entity.”
• Incident Notification: Healthplex first discovered the breach in November 2021, but did not report it to NYDFS until April 2022. This is a violation of NYDFS 500.17(a), which requires a covered entity “to notify the Superintendent as promptly as possible, but in no event later than seventy-two (72) hours, from a determination that a reportable cybersecurity event has occurred.”
• Annual Certifications: NYDFS 500.17(b) requires a covered entity to annually certify their compliance with Part 500 regulations. Despite the gaps noted, Healthplex certifications from 2018 through 2022 attested that the company was in full compliance with Part 500.

Consent Decree Requirements

In addition to the fine, the Consent Decree requires Healthplex, within 60 days of the Consent Decree’s effective date, to hire a third party approved by NYDFS to conduct an audit of its MFA controls “related to the (1) integrated infrastructure in which the Healthplex business operates; and (2) shared systems that support Healthplex’s core business functions, such as O365, Azure, and claims system.” The third party will conduct this audit within 90 days and submit its findings to NYDFS. NFYDS and Healthplex will then agree to a timeline on remediating the findings.

NYDFS Updates

The Consent Decree comes as covered entities are in the final stages of implementing the requirements of the Part 500 amendment that was finalized and approved in November 2023. Since then, new rules have gone into effect in scheduled phases, focused on a number of topics, including: cybersecurity policies; incident response and business continuity plans; security office and board responsibilities; vulnerability management practices; and risk assessment procedures. In November 2025, the final set of rules will go into effect, including requirements for:

• The implementation of MFA for any individuals accessing any of the covered entities’ information systems, unless an entity’s chief information security officer (CISO) approves equivalent alternative compensating controls. Keep in mind, NYDFS found that Healthplex was already in violation of NYDFS current rules on MFA without these updated regulations in effect.
• Maintaining an updated asset inventory that contains key information for all hardware and software assets, including:
  • Asset owners
  • Asset locations
  • Classification of data held on the assets
  • Asset expiration data
  • Asset recovery time objectives

Considerations

Covered entities should take steps to ensure their cybersecurity programs are Part 500 compliant, including with the new rules that are expected to take effect in November and in particular areas where we have noticed NYDFS has paid increased attention to recently with licensee applications and certifications:

• MFA: This is the second time this calendar year that NYDFS has sanctioned a company for failure to have proper MFA controls. Covered entities should ensure it has MFA in place for access to all nonpublic information it holds or that its CISO has approved alternative compensating controls.
• Policies: Covered entities should take steps to have all policies required by NYDFS in place, particularly those mentioned in NYDFS 500.3 and 500.13. Covered entities should ensure that each policy incorporates or references related procedures to help implement these policies and that the policies note that they are reviewed and updated annually by a senior officer in the business (e.g., CISO) and/or the board of directors.
• Certifications: All covered entities are required to submit their annual certifications to Part 500 regulations by April 15, 2026, demonstrating compliance in 2025. NYDFS 500.17(b)(1)(i.)(b) says that such certification shall be “based upon data and documentation sufficient to accurately determine and demonstrate such material compliance, including, to the extent necessary, documentation of officers, employees, representatives, outside vendors and other individuals or entities, as well as other documentation.” While such documentation does not need to be submitted to NYFDS, it must be retained for a period of five years. Covered entities should conduct a Part 500 assessment of their current cybersecurity program prior to certification and retain all relevant documentation.

Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises clients in responding to data breaches and on compliance with Part 500 and other cybersecurity regulations. If you have experienced a breach or have any questions concerning how the changes to Part 500 may affect your organization, please do not hesitate to contact the members of our team listed here.