Investigators calculated that hackers stole approximately 60,000 files from Delta Dental’s MOVEit servers during the 2023 mass exploit, and New York’s financial regulator has fined the company $2.25 million over its response.
New York Department of Financial Services issues consent order and fine
On April 29 the New York Department of Financial Services (NYDFS) entered a consent order with Delta Dental of New York and its parent, Delta Dental Insurance, assessing a $2.25 million civil monetary penalty related to the company’s handling of the 2023 Progress Software MOVEit file transfer breach. The order documents NYDFS investigators’ findings about the scale of the data theft and specific regulatory violations tied to the company’s cybersecurity program and breach reporting.
What was taken and how long it remained exposed
NYDFS records state that roughly 60,000 files were stolen in the incident. Those files included insureds’ names, addresses, Social Security numbers, driver’s license information, financial account information and patient health information. Delta Dental previously told regulators in September 2023 that hackers had accessed data for nearly 7.1 million customers; independent reporting cited by NYDFS notes the broader MOVEit attack affected more than 2,700 organizations and nearly 96 million individuals globally, according to security firm Emisoft.
Delta Dental detected a web shell on its MOVEit servers on June 1, 2023, stemming from the SQL-injection zero-day that the Russian-speaking cybercriminal group Clop exploited in the automated Memorial Day 2023 campaign. State investigators found the majority of the files exfiltrated had been present on the MOVEit servers for more than 30 days.
Data retention changes and written-policy gaps
Investigators noted that, at the time of the incident, Delta Dental had recently changed retention settings on its MOVEit environment: retention periods previously set at 30 days had been extended to 45 and 60 days in some cases, and in some instances retention settings were disabled entirely depending on the data. NYDFS said the company had not reflected those retention changes in its written data-retention policies. The consent order cites violations of state cybersecurity regulations requiring secure disposal of nonpublic information that is no longer necessary for business operations.
Reporting failures and procedural breaches
NYDFS concluded Delta Dental violated the state requirement to notify regulators within 72 hours of determining a cybersecurity event. The company did not notify NYDFS until Dec. 15, 2023. Investigators also found the company lacked a cyber incident reporting plan required under the state’s cybersecurity regulations. The consent order records those findings but does not impose specified corrective-action mandates on Delta Dental.
What this means for technologists, regulators, and affected individuals
- Technologists and security teams: retention settings and written policy alignment will be a focal point. NYDFS’s findings highlight that operational changes to retention windows — including extensions or disabling retention — can have regulatory consequences when documentation does not match operational settings.
- Policymakers and regulators: the consent order demonstrates NYDFS’s willingness to levy monetary penalties where it finds violations of state cybersecurity rules, while also noting that the order did not require additional corrective actions in this case.
- Affected insureds and patients: the files NYDFS says were stolen included personally identifiable information and patient health information; the consent order records the types of data exposed but the order does not itself prescribe remedial measures for individuals in the text summarized by investigators.
Delta Dental did not immediately respond to a request for comment on the settlement, and the consent order itself does not require specific corrective actions. That leaves a central, concrete question from NYDFS’s findings: how will data-retention practices and breach-notification timelines be reconciled with written policies and regulatory expectations to prevent a repeat of a months-long exposure window in future incidents?
