NYSDFS Secures $2.25 Million Cybersecurity Settlement with Delta Dental

Overview

The New York State Department of Financial Services (NYSDFS) announced a $2.25 million cybersecurity settlement with Delta Dental following the insurer's exposure in the 2023 MOVEit file-transfer attack. The breach was part of a sweeping campaign by the Clop ransomware group, which exploited a zero-day vulnerability in Progress Software's MOVEit Transfer application to extract data from hundreds of organizations worldwide.

‍‌‌‍Delta Dental was among the affected MOVEit customers. More than 7 million patients had their data compromised in the Delta Dental incident, making it one of the larger individual exposures tied to the MOVEit campaign. The NYSDFS action focuses on the portion of affected individuals within New York and the insurer's obligations under the state's cybersecurity regulation, 23 NYCRR 500.

‍‌‍The settlement does not involve a finding of criminal liability but reflects NYSDFS's determination that Delta Dental failed to meet the cybersecurity requirements applicable to regulated entities operating in New York. The agreement adds to a growing body of state-level enforcement actions stemming from the MOVEit incident.

Key developments

Scale of exposure. Delta Dental's total breach count exceeded 7 million patients, placing it among the most significant single-entity disclosures tied to the Clop MOVEit campaign. ‍‌‌‍The New York-specific figure represents a subset of that total, and the NYSDFS settlement reflects the state's jurisdictional reach over licensed insurers.

State-level cybersecurity regulation as an enforcement mechanism. The NYSDFS action was brought under 23 NYCRR 500, New York's dedicated cybersecurity regulation for financial services companies, which includes insurers. This framework operates independently of HIPAA and sets its own requirements for risk assessment, access controls, and third-party vendor oversight — demonstrating that healthcare-adjacent entities may face layered regulatory exposure beyond federal health privacy law.

‍‌‌‍Third-party and vendor risk at the center of the case. The MOVEit vulnerability was present in software operated by Progress Software, not Delta Dental itself. Nevertheless, regulators held Delta Dental accountable for the security of data processed through that vendor relationship. This signals that regulators expect covered entities to assess and monitor the security controls of their technology vendors, not merely obtain contractual assurances.

‍‌‍Enforcement momentum from MOVEit continues. Multiple federal and state regulators have pursued enforcement tied to the 2023 MOVEit campaign. The Delta Dental settlement demonstrates that these actions are still resolving years after the initial incident, and that financial penalties remain a concrete outcome even when the vulnerability originated with a software supplier.

Industry impact

The MOVEit campaign remains one of the most consequential supply-chain attacks in healthcare history. ‍‌‌‍HHS's Office for Civil Rights received numerous breach notifications tied to the incident, and the total number of individuals affected across all sectors reached into the tens of millions globally. IBM's Cost of a Data Breach Report has consistently identified healthcare as the sector with the highest average breach cost of any industry, a figure that has exceeded $10 million per incident in recent reporting periods.

The Delta Dental settlement illustrates a pattern visible in OCR enforcement data as well: regulators do not limit liability to organizations that were directly compromised through their own deficient controls. ‍‌‌‍Where a covered entity or regulated insurer routes protected data through a third-party platform, the organization retains accountability for ensuring that platform meets applicable security standards. The NYSDFS settlement reinforces that principle at the state level, and OCR's own guidance on business associate oversight reflects the same expectation at the federal level.

For dental insurers, clearinghouses, and any healthcare entity subject to both HIPAA and state financial or insurance regulation, the Delta Dental action illustrates that dual regulatory exposure is real and that state cybersecurity frameworks may impose standards that go beyond HIPAA's baseline requirements.

‍‌‍## What this means for independent practices

Review all active vendor and business associate agreements to confirm they include specific, enforceable security requirements — not only standard contractual language about compliance.
Request evidence of security controls from file-transfer and data-exchange vendors, including documentation of vulnerability management programs and patch timelines for critical software.
Map data flows through third-party platforms so that the practice knows exactly which vendors hold or transmit protected health information and under what conditions.
Confirm that your risk analysis addresses third-party and supply-chain risk explicitly, not just internal systems. OCR has cited inadequate risk analysis as a finding in the majority of its settlement actions.
Monitor state regulatory developments, particularly if the practice is licensed under state insurance or financial services law, as state cybersecurity frameworks may create obligations that supplement or exceed HIPAA requirements.

Independent practices that route patient data through billing platforms, clearinghouses, or file-transfer services face the same category of exposure that produced this settlement. Vendor security is not a one-time due-diligence checkbox; it requires periodic reassessment as vendors update their software, change their infrastructure, or acquire other companies. Establishing a documented review cycle for third-party security — tied to contract renewal dates or annual risk analysis — is a practical way to keep that discipline current without requiring a dedicated security staff.

What would have prevented this

Third-party risk assessments with defined security baselines: Before routing protected data through any vendor platform, organizations should evaluate that vendor's vulnerability management practices, patch cadence, and security certification status. A documented baseline allows for comparison at each contract renewal.

Continuous vendor monitoring: Contractual security requirements are insufficient if the vendor's actual controls are not periodically verified. Monitoring programs that track vendor security advisories, public vulnerability disclosures, and patch release timelines allow organizations to act before a known flaw is exploited.

Data minimization and segmentation: Limiting the volume of data transmitted through any single third-party platform reduces the scope of exposure when that platform is compromised. Segmenting data flows so that no single vendor holds the complete dataset of millions of records is a structural control that reduces breach magnitude.

Patch and vulnerability management tied to critical vendors: The MOVEit vulnerability was a zero-day at the time of exploitation, but organizations with active monitoring of vendor security bulletins were better positioned to apply patches within hours of their release. A formal process for prioritizing patches on internet-facing file-transfer and data-exchange systems — with defined response windows for critical severity findings — is a recognized control category in NIST and CIS frameworks.

Audit logging with anomaly detection on data-transfer systems: Maintaining detailed logs of data movement through file-transfer platforms, combined with alerting on unusual transfer volumes or access patterns, can reduce dwell time and limit the quantity of records exfiltrated before an incident is detected and contained.

Read the original at DataBreaches.net →