Cyber Incident Victim: Healthplex Inc.

On November 24, 2021, Healthplex Inc., a major New York dental insurance provider, experienced a phishing attack that compromised an employee’s email account. The breach was promptly detected, and Healthplex secured the affected account to prevent further unauthorized access. An investigation was initiated to determine the scope and nature of the incident. On April 5, 2022, Healthplex confirmed the compromised email account contained personal and protected health information belonging to 89,955 individuals enrolled in its dental plans. The exposed data included first and last names combined with one or more of the following: addresses, group names and numbers, member ID numbers, plan affiliations, dates of birth, dates of service, provider names, ADA codes and descriptions, billed/paid amounts, prescription drug names, Social Security numbers, banking information, credit card numbers, member portal usernames and passwords, email addresses, phone numbers, and driver’s license numbers. The breach did not impact all individuals uniformly, with data exposure varying per person.

Healthplex mailed notification letters to affected individuals on April 15, 2022, offering complimentary identity theft protection services through LifeLock. The New York Attorney General’s Office investigated the incident, identifying violations of state data security and consumer protection laws. Healthplex settled the investigation by paying a $400,000 financial penalty. In response to the breach, Healthplex implemented enhanced security measures for its email environment to reduce the risk of similar incidents. No additional unauthorized access or data misuse was confirmed beyond the initial compromise period. The incident exclusively involved the single employee email account targeted in the November 2021 phishing attack, with no evidence of broader system infiltration.