State Regulatory Developments

NY Fines Health Insurance Company $4.5M for Consumer Data Breach

The New York Department of Financial Services announced on October 18, 2022, that it had issued a consent order requiring a vision services health insurance company to pay a $4.5 million fee, ending a probe into whether the company violated state cybersecurity regulations before a 2020 data breach.  The breach occurred when a hacker was able to access six years’ worth of sensitive data through a phishing attack on the company’s email network—which was not equipped with a multifactor authentication system.  The consent order maintains the company breached 23 NYCRR § 500.01(d), New York’s Cybersecurity Regulation, by (i) failing to maintain a “cybersecurity program” per the Regulation’s covered entity risk assessment, (ii) failing to conduct a periodic “risk assessment,” and (iii) failing to implement multi-factor authentication for all organizational employees, among other issues, resulting in the exposure of patients’ “sensitive, non-public, personal health data.”