On August 14, 2025, the NY Department of Financial Services (NY DFS) entered into a consent order with Healthplex, LLC, fining the insurance agent and adjuster $2 million for alleged violations of the NY DFS Part 500 Cybersecurity Regulation.
Key Allegations
NYDFS alleged that Healthplex:
- Did not maintain a data retention and disposal policy for sensitive nonpublic information (NPI) in its Microsoft Office 365 (Office 365) environment, in violation of 23 NYCRR § 500.13. The compromised mailbox contained more than 100,000 emails with sensitive personal and health information affecting tens of thousands of consumers.
- Failed to implement multi-factor authentication for Office 365 web access following a 2021 migration, in violation of 23 NYCRR § 500.12(b). This allegedly allowed a phishing attack to compromise the employee's email account.
- Delayed notifying DFS within the required 72 hours after determining that a reportable Cybersecurity Event had occurred, in violation of 23 NYCRR § 500.17(a). Although Healthplex became aware of the incident in November 2021, NY DFS was not notified until April 2022.
- Improperly certified compliance for calendar years 2017–2021 despite material deficiencies, in violation of 23 NYCRR § 500.17(b).
Key Takeaways for Covered Entities
1. Developing a Data Retention Strategy is Critical
The Cybersecurity Regulation requires covered entities to consider what data they retain and to delete information that is no longer required. Specifically, NYDFS 500.13(b) compels covered entities to "have policies and procedures for the secure disposal on a periodic basis of any nonpublic information ... that is no longer necessary for business operations or for other legitimate business purposes of the covered entity..." This provision implies that covered entities can (i) identify where they store data, (ii) implement procedures to identify ongoing needs, and (iii) delete what is not required. Although this is challenging, a logical first step is developing a data map. In addition, most businesses can grab an "early win" by implementing systems for periodic (and automatic) email deletion, and indeed, this is often where most businesses typically begin. Covered entities should consider whether and when emails should be routinely deleted and have a plan for retaining relevant emails through a litigation hold if required.
2. Breaches Invite Further Scrutiny
While many of the requirements in the Cybersecurity Regulation — especially the newer requirements enacted in 2023 and now being phased in — are directed toward policies, procedures, and other prophylactic requirements, it was a security incident, along with Healthplex's allegedly inadequate response, that triggered the investigation resulting in the consent order. While it is impossible to fully insulate a business from the possibility of a data breach, good security practices (such as the use of multi-factor authentication) can limit risk. Prompt and compliant response to an incident may also limit further scrutiny.
3. Multi-Factor Authentication is a Must
The Cybersecurity Rule requires multi-factor authentication for many external connections and will soon require multi-factor authentication in nearly all situations, unless the chief security officer or CISO has approved and documented compensating controls. As a result, multi-factor authentication is becoming a baseline safeguard that regulators expect from businesses.
NY DFS has been very active over the last few years, and this trend shows no signs of abating in 2025. Now is the time to revisit and assess your compliance program to prepare for the final set of new regulations
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
