The HIPAA Guide - Celebrating Over 15 Years Online

Delta Dental Fined $2.25M for Violations of New York Cybersecurity Regulations

May 7, 2026Healthcare Cybersecurity0

The New York State Department of Financial Services (NYDFS) has announced that Delta Dental Insurance Company (DDIC) and Delta Dental of New York (DDNY), Inc. will pay a $2.25 million penalty to resolve allegations that they had inadequate incident response and cybersecurity incident notification policies and procedures, resulting in a significant breach of New Yorkers’ personal and health information.

HIPAA-regulated entities must ensure that they are fully compliant with the HIPAA Privacy, Security, and Breach Notification Rules, but they must also ensure that they are compliant with laws in all states where they operate, and New York has strict cybersecurity regulations. “The Department’s nation-leading cybersecurity regulation requires financial institutions to have robust policies in place to protect the personal information of New Yorkers,” said Acting NYDFS Superintendent Asrow. “As cybersecurity threats continue to grow, the Department is committed to holding institutions accountable.”

DDIC and DDNY were investigated over a 2023 hacking incident involving their implementation of MOVEit Transfer software, a managed file transfer solution. Hackers exploited a zero-day vulnerability in the software to gain access to MOVEit Transfer servers. The hacking group, Cl0p, mass-exploited the vulnerability and attacked around 2,700 companies over the Memorial Day weekend in 2023. Between May 27 and May 30, 2023, the hackers had access to the DDIC and DDNY MOVEit Transfer software and exfiltrated around 60,000 files. The files contained names, addresses, Social Security numbers, driver’s license numbers, financial account information, and health information.

NYDFS was notified about the breach in December 2023, and the affected individuals were notified in March 2024. NYDFS launched its investigation and determined that DDIC and DDNY failed to comply with the state cybersecurity regulations – New York Codes, Rules and Regulations (23 NYCRR Part 500). Specifically, the requirements to implement policies, procedures, and controls to protect information systems containing consumer data, and implement appropriate data retention settings. Further, DDIC and DDNY failed to report their cybersecurity events in a timely manner, both to NYDFS and consumers.

NYDFS found that most of the data stolen from the servers was older than 30 days, and certain folders had data retention periods increased to 60 days, while others had data retention limits removed. By default, MOVEit Transfer sets the data retention period at 30 days. There were also no policies or procedures related to requesting, reviewing, or approving changes to the data retention settings.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.