ACCORDING to the New York State Department of Financial Services, Delta Dental Insurance Company (DDIC) and Delta Dental of New York, Inc. (DDNY) will pay a $2.25 million penalty for violations of the department’s cybersecurity regulation. The consent order reviewed by the DFS found that inadequate incident response policies and procedures allowed threat actors to exploit MOVEit Transfer vulnerabilities and obtain unauthorized access to New Yorkers’ personal information.
The DFS press release, dated 30 April 2026, states that the regulation requires organisations to have policies and procedures for secure data disposal, incident response planning, and timely reporting of cybersecurity events, and notes that DDIC and DDNY were solely responsible for the penalty. The article notes that more than 7 million patients were affected by the MOVEit breach overall, though the number specific to New York State patients is not provided.
It also highlights that the DFS cybersecurity regulation became effective in March 2017, with an updated amendment in November 2023 designed to strengthen protections for consumers.