New York State and Healthplex HIPAA Settlement

On December 8, 2023, Healthplex, one of the largest dental administrators in New York state, settled a case with state regulators over a 2021 phishing incident. As a result of the cyberattack, 90,000 patients’ information was compromised.

The Incident and Settlement

In November 2021, an unknown attacker sent a phishing email to an employee of Healthplex. As a result, the hacker gained access to 130,000 emails dating back 12 years. While the phishing incident affected 90,000 patients in various states, a case was brought to New York State regulators, as 64,000 are New York state residents.

Protected health Information that may have been compromised due to the incident potentially included:

  • Patients’ first and last names
  • Credit card numbers and banking information 
  • Social Security and driver’s license numbers

Following an investigation into the incident, Healthplex signed a settlement with New York state, agreeing to pay $400,000 and submit to a corrective action plan

As part of the corrective action plan, Healthplex must: 

“Federal and state enforcement of health information privacy laws is increasing exponentially due to the increased number of breaches and persons affected,” said regulatory attorney Paul Hales of the Hales Law Group.

“All organizations should have a firm email destruction policy established with advice of legal counsel to avoid the time and expense of producing or searching through emails in response to a discovery request,” Hales said.

Preventing HIPAA Breaches and Fines

As breaches targeting healthcare organizations skyrocket, it is essential to implement measures to prevent unauthorized access to sensitive data. Implementing an effective HIPAA compliance program is the best way to do so. HIPAA compliance includes risk analysis, policies and procedures, employee training, and incident management. Had Healthplex implemented an effective compliance program, the incident and subsequent fine could have been prevented.

Protect Against HIPAA Fines

Compliant organizations don’t get fined. Become compliant today!