Published on
May 13, 2026
NYDFS Enforces $2.25 Million Settlement Over Health Care Cybersecurity Breach
NYDFS finalizes $2.25M Delta Dental settlement over cybersecurity failures; signals stronger NYCRR 500 enforcement.
The New York Department of Financial Services (NYDFS) has finalized a $2.25 million settlement with Delta Dental of New York and Delta Dental Insurance Co. following allegations of noncompliance with the state’s rigorous cybersecurity regulations. Announced on April 29, 2026, the enforcement action highlights the NYDFS’s ongoing commitment to ensuring strict adherence to its updated cybersecurity framework, widely regarded as the toughest in the nation.
Key Allegations and Settlement Details
The settlement stems from a 2023 data breach that exposed sensitive information of approximately 60,000 policyholders. Hackers exploited a vulnerability in MOVEit, a third-party file transfer tool used by Delta Dental, to access files containing Social Security numbers, financial data, and health records. According to regulators, Delta Dental failed to meet several critical requirements under New York’s cybersecurity rules, codified at 23 NYCRR 500. These included:
- Lacking robust data disposal policies.
- Failing to maintain sufficiently detailed incident response plans.
- Delaying notification to authorities until mid-December 2023, well beyond the required 72-hour reporting window.
The matter was resolved through a consent order issued by NYDFS, requiring Delta Dental to pay $2.25 million in penalties.
sbb-itb-e766981
Broader Implications for Cybersecurity Compliance
This settlement underscores the NYDFS’s enhanced enforcement approach, particularly for health insurers, managed care organizations, and their third-party service providers operating under New York insurance law. As the NYDFS continues to enforce its stringent regulations, the case of Delta Dental serves as a stark reminder of the compliance risks organizations face under the revamped cybersecurity framework.
The investigation also highlights critical compliance gaps. For instance, regulators alleged violations related to Section 500.13 of 23 NYCRR 500, which mandates secure disposal of nonpublic information no longer necessary for business operations. This standard emphasizes data minimization, a provision not covered under federal HIPAA regulations, thereby presenting unique challenges for organizations relying solely on HIPAA compliance.
Other Recent Enforcement Actions
Delta Dental’s case is not an isolated incident. In August 2025, the NYDFS settled a multimillion-dollar enforcement action against Healthplex, Inc., another dental insurance company, after a 2021 phishing attack exposed customer data. The company’s failure to fully implement multi-factor authentication (MFA) safeguards was a key focus of that investigation. Both cases demonstrate that the NYDFS is actively pursuing pre-amendment violations of its cybersecurity regulations while signaling future enforcement under its updated requirements.
Updated Regulations and Their Impact
The November 2025 amendments to 23 NYCRR 500 introduced additional obligations for covered entities, including:
- Expanded Multi-Factor Authentication (MFA): MFA is now required for all individuals accessing any information system of a covered entity, with limited exceptions for specific service accounts. Organizations qualifying under Section 500.19(a) must still implement MFA for remote access, cloud applications handling sensitive data, and accounts with elevated privileges.
- Comprehensive Asset Inventory: Entities are now required to maintain a formal, well-documented record of all information systems, supported by detailed procedures for regularly reviewing and updating the inventory.
The NYDFS has also emphasized that responsibility for cybersecurity compliance cannot be delegated to third-party vendors. In October 2025, the department issued guidance making it clear that gaps in vendor oversight could be treated as compliance failures during regulatory reviews or enforcement actions.
Lessons Learned and Recommendations
The Delta Dental settlement, alongside the Healthplex action and recent NYDFS guidance, signals that the department views cybersecurity enforcement as a top priority in the health care and insurance sectors. Organizations subject to New York’s cybersecurity regulations should treat these enforcement actions as a roadmap to address potential compliance gaps. Key areas of focus should include:
- Establishing clear data retention and disposal policies.
- Developing comprehensive incident response plans.
- Strengthening oversight of third-party vendors.
- Implementing and expanding MFA safeguards.
The NYDFS’s proactive stance serves as a warning to organizations operating in New York: compliance with its cybersecurity requirements is not optional, and failures to meet these standards may result in significant financial and reputational consequences.
