Delta Dental Insurers to Pay New York $2.25M Over Cybersecurity Incident

Delta Dental Insurance Co. (DDIC) and Delta Dental of New York, Inc. (DDNY) will pay a $2.25 million penalty for violations of New York’s cybersecurity regulation, the Department of Financial Services (DFS) reported.

Acting DFS Superintendent Kaitlin Asrow said that an investigation determined that the companies’ “inadequate incident response policies and procedures” allowed unauthorized access to New Yorkers’ personal information including names, addresses, social security numbers, driver’s license numbers, financial account information, and patient health information.

The investigation found that the cybersecurity program used by the companies did not comply with DFS’s cybersecurity regulation, which requires them to implement retention settings, policies, procedures, and controls designed to protect consumer data and the information systems of the financial institutions themselves.

In addition DDIC and DDNY failed to timely report their respective cybersecurity events as required, DFS said.

DDIC is a licensed accident and health insurer and DDNY is a licensed non-profit dental expense indemnity. company. Both companies use MOVEit Transfer servers for transferring files among their affiliates’ customers, business partners, medical professionals, and employees.

On June 2, 2023, the DFS alerted regulated entities of this vulnerability and its remediation in an industry guidance letter. DDIC and DDNY notified all affected consumers by March 2024.

DFS’s cybersecurity regulation became effective in March 2017, with an updated amendment effective as of November 2023.