NYDFS Imposes $2M Penalty for Violations of its Cybersecurity Regulation
Consent order between New York state regulator and company highlights multi-factor authentication requirement and failure to timely report the Cyber Event. The New York State Department of Financial Services (NYDFS) announced on August 14, 2025 , resolution of civil enforcement action requiring Healthplex, Inc., a licensed insurance agent and independent adjuster, to pay a $2 million civil penalty under a consent order for violations of the NYDFS cybersecurity regulation (23 NYCRR Part 500) . The NYDFS alleges in the consent order that a threat actor gained access to Healthplex’s information systems through a phishing attack on an employee’s email account, and that Healthplex’s cybersecurity program was not adequately calibrated to protect against, mitigate or respond to the incident. As a result, the threat actor gained access to the private health data and sensitive nonpublic information (NPI) of tens of thousands of consumers. The consent order states t...