NYDFS Ramps Up Health Care Cybersecurity Enforcement With $2.25 Million Settlement

On April 29, 2026, the New York Department of Financial Services (NYDFS) announced the finalization of a $2.25 million settlement with Delta Dental of New York and Delta Dental Insurance Co., resolving allegations that the affiliated companies failed to comply with the state’s stringent cybersecurity, consumer data protection, and incident reporting requirements. For health insurers, managed care organizations, and their third-party service providers operating in New York, the announcement comes as the latest signal that the NYDFS intends to aggressively enforce its cybersecurity regulations — which are widely considered the strictest in the nation following a 2023 overhaul. These regulations, codified at 23 NYCkRR 500 (Cybersecurity Requirements for Financial Services Organizations), apply to any entity licensed under New York insurance law, including health insurers, managed care organizations, and their third-party service providers.

This recent development both spotlights the enhanced compliance obligations payors operating in New York state face under the revamped NYDFS regulations and illustrates the importance of proactively developing, enacting, and communicating a comprehensive cybersecurity strategy that encompasses:

• • A clear data retention policy that ensures timely disposal of plan members' nonpublic information (NPI).
  • Detailed and actionable guidance for employees in the event of a cyber breach or other incident.
  • Instructions for employees to comply with all state-level notice requirements (including disclosures to members and regulators) within statutory deadlines.
  • Risk mitigation strategies and compliance best practices regarding the use of vendor tools and services.

Enforcement in Perspective: Why the Delta Dental Settlement Matters

The Delta Dental investigation arose from a 2023 data breach in which hackers took advantage of a then-unknown flaw in MOVEit, a third-party file tool used by the organization to securely transfer data. The breach exposed approximately 60,000 files containing sensitive policyholder information, including Social Security numbers, financial details, and health records. Following a NYDFS investigation, regulators contended that the companies lacked adequate data disposal policies, failed to maintain sufficiently detailed incident response plans, and did not notify authorities until mid-December 2023 — a date well beyond the rule’s required 72-hour reporting window. The matter was ultimately resolved through a consent order requiring a $2.25 million payment; however, the underlying investigation provides invaluable insight into the NYDFS’ enforcement strategy and potential compliance risks.

First, it should be noted that the Delta Dental matter is one of two multimillion-dollar resolutions pursued by the NYDFS against health care organizations alleged to have violated the state’s robust cybersecurity requirements within the last calendar year. In August 2025, the NYDFS resolved an action against Healthplex, Inc., a dental insurance management services company licensed as an independent adjuster and insurance agent, following allegations that its inadequate cybersecurity protocols — and, in particular, its alleged failure to fully implement multi-factor authentication (MFA) safeguards — contributed to the exposure of customer data after a 2021 phishing attack.

Second, the investigation illustrates that HIPAA compliance does not satisfy a payor’s full cybersecurity obligations under New York law. The Delta Dental matter focused in part on alleged violations of Section 500.13 of 23 NYCRR 500, which requires covered entities to establish policies and procedures for the secure disposal of nonpublic information that is no longer necessary for business operations. This is a data minimization standard more commonly associated with privacy law than with HIPAA, which focuses primarily on limiting access to and disclosure of data rather than mandating deletion. Organizations that have built their compliance programs around HIPAA alone may be leaving a significant gap with respect to this deletion obligation — one that the NYDFS appears to be actively closing through enforcement.

Third, it is worth noting that both the Delta Dental and Healthplex matters are among the first enforcement actions brought against health care organizations in the period following the amendment of 23 NYCRR 500. Importantly, however, both enforcement actions were brought under the version of the regulations that predated the November 2023 amendments — meaning even the pre-amendment obligations are being actively enforced. The final phase of new requirements took effect in November 2025, imposing new obligations regarding:

• • Multi-factor authentication (MFA). The updated regulations now require MFA for all individuals accessing any of a covered entity’s information systems, applying without distinction as to where a user is located, what role they hold, or what category of data happens to reside on the system in question. Entities that qualify for the limited exemption under Section 500.19(a) face a narrower but still significant obligation: MFA must be in place for remote access to the covered entity's own systems, access to outside applications — including those hosted in the cloud — that handle nonpublic information, and all elevated-privilege accounts, with the exception of service accounts that do not permit interactive login. As artificial intelligence tools become more deeply integrated into payor operations, the breadth of this obligation is likely to expand accordingly.
  • Asset inventory. Covered entities must now formalize and maintain a formal, well-documented record of all information systems within the organization, supported by written procedures that address how asset details are captured and how often the inventory is reviewed and confirmed as current.

Finally, organizations should be aware that the NYDFS has made clear it will not permit responsibility for cybersecurity compliance to be delegated to vendors. In an October 2025 guidance, NYDFS signaled that it will hold covered organizations (defined in 23 NYCRR 500 as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”) accountable when vendor oversight is inadequate, treating such gaps as relevant considerations in regulatory reviews and disciplinary proceedings.

Implications and Recommendations for Payors

The Delta Dental settlement, taken in conjunction with recent NYDFS communications and the 2025 Healthplex action, makes it clear that the NYDFS views cybersecurity enforcement in the health care and insurance sectors as an ongoing priority — and that compliance with the amended 23 NYCRR 500 requirements will be closely scrutinized. Health insurers and managed care organizations operating in New York should treat these enforcement actions not merely as cautionary tales, but as a roadmap for the compliance gaps regulators are most likely to target, including data disposal practices, incident response planning, vendor oversight, and MFA implementation.

Our lawyers are available to provide comprehensive counseling to help health insurers and managed care organizations assess and strengthen their cybersecurity compliance programs, evaluate vendor due diligence practices, and align privacy and security policies with NYDFS requirements. Proactive engagement with these obligations, rather than reactive remediation following a breach or regulatory inquiry, remains the most effective strategy for managing enforcement risk under New York’s increasingly rigorous cybersecurity framework.