Credit: TippaPatt/Adobe Stock
A UnitedHealth dental insurance subsidiary has agreed to pay a $2 million penalty in New York state to settle an investigation related to an email phishing attack that occurred around Nov. 22, 2021.
The subsidiary, Healthplex, also agreed to continue to strengthen its data security controls and to hire an outside auditor to conduct a data security audit, according to a consent order describing the settlement agreement negotiated by Healthplex and the New York State Department of Financial Services.
Healthplex reported the phishing attack to the department, has cooperated with the investigation and has been working to improve its data security efforts, New York financial services department officials noted in the consent order.
Adrienne Harris, the superintendent in charge of the New York department, said in a comment about the order that it shows the importance of insurers and other regulated entities maintaining strong cybersecurity policies.
"Health insurance providers are entrusted with the highly sensitive personal information and health data of policyholders," Harris said.
"Protecting member privacy is a top priority for Healthplex," according to a representative for Healthplex. "We're pleased to have reached a resolution and are grateful for the New York State Department of Financial Services' cooperation."
Healthplex: Healthplex, a dental plan manager, was founded in 1977 and is based in Uniondale, New York. A Florida dental plan manager, MCNA Dental, acquired Healthplex in 2019, and UnitedHealth acquired MCNA in 2020.
The phishing attack: For a cyberattacker, "phishing" is the strategy of using communications from what appears to be a legitimate entity to trick a victim into revealing important confidential information.
The attacker who started the Healthplex attack sent an email to a customer service rep at the company in 2022. The rep had worked for Healthplex for about 20 years.
The original phishing email "invited the employee to enter their business email login credentials to receive a fax message, which they did," according to the consent order. "This allowed the threat actor access to the employee's Microsoft Office 365 account."
Related: Email is the most common entry point for ransomware attacks
The employee's inbox held more than 100,000 emails, "all of which were accessible to the threat actor," according to the consent order. "These emails contained the private health data and nonpublic information of tens of thousands of customers."
The threat actor used the employee's account to send emails to other Healthplex employees. Other employees reported receiving suspicious emails, and Healthplex then conducted a forensic review.
Healthplex estimated in a 2022 breach notice that the November 2021 attack likely affected up to 76,262 people.
Although Healthplex reported the attack itself and has been helpful, it did not report the attack to the New York department until April 8, 2022, New York department officials said.
The company did not have multi-factor authentication in place for all users logging on to its system, and it did not enforce records retention and disposal procedures, officials added.
"Proper disposal processes minimize the amount of [nonpublic information] accessible to an unauthorized third party during a cybersecurity event," officials said.
UnitedHealth subsidiaries have faced other cyberattacks in the past.
The company's Episource medical billing subsidiary estimated that a February 2025 attack could have exposed the personal data of up to 5.4 million people.
A February 2024 attack on UnitedHealth's Change Healthcare health data communications subsidiary may have affected 190 million people, according to a UnitedHealth notice.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.