Delta Dental to pay $2.25M after investigation tied to MOVEit breach

New York’s Department of Financial Services (DFS) announced on April 30, 2026, that Delta Dental Insurance Company and Delta Dental of New York will pay a $2.25 million civil penalty after a DFS investigation found violations of New York’s cybersecurity regulation, 23 NYCRR Part 500.

What happened

The case stems from the companies’ use of MOVEit Transfer servers to move files among affiliates, customers, business partners, providers, and employees. In mid-2023, attackers exploited a previously unknown MOVEit Transfer vulnerability, gaining unauthorized access to the companies’ servers and exfiltrating files that contained consumer nonpublic information.

DFS noted the companies’ cybersecurity program did not meet regulatory requirements because it lacked adequate retention controls, written disposal policies, incident response guidance, and timely reporting procedures. The consent order adds more detail, stating that Delta Dental’s parent cyber program detected suspicious MOVEit activity on June 1, 2023, found a webshell the same day, and later confirmed that files had been exfiltrated between May 28 and May 30, 2023.

In the know

MOVEit is a managed file transfer product owned by Progress Software and used by organizations to securely exchange sensitive business files, with features such as encryption, access controls, audit trails, and reporting for regulated environments. Progress describes MOVEit Transfer as software for exchanging critical business data and documenting transfer activity through audit trails. Its broader MOVEit product page positions it as a secure managed file transfer tool for reducing risky, decentralized file-sharing practices.

MOVEit became a major cybersecurity story in 2023 after Progress disclosed a critical MOVEit Transfer vulnerability on May 31, 2023, warning that the flaw could allow escalated privileges and unauthorized access. The vulnerability, tracked as CVE-2023-34362, was later described by the National Institute of Standards and Technology as a SQL injection flaw in the MOVEit Transfer web application that could let an unauthenticated attacker access the MOVEit Transfer database.

The 2023 DFS notice on MoveIt stated, “All regulated entities should promptly assess risk to their organization, customers, consumers, and third party service providers based upon the evolving information and take action to mitigate risk. As you assess your risk,”

What was said

According to Acting Superintendent Asrow in the press release, “The Department’s nation-leading cybersecurity regulation requires financial institutions to have robust policies in place to protect the personal information of New Yorkers. As cybersecurity threats continue to grow, the Department is committed to holding institutions accountable.

Why it matters

Paubox’s 2025 report on top healthcare email attacks makes the Delta Dental case easier to understand, even though MOVEit is not an email platform. The report found that vendor and business associate exposure was the most common email breach pattern in 2025, accounting for 28% of email incidents reported to HHS. The broader point is that healthcare organizations do not always lose data because their own system was directly attacked.

Sometimes the risk sits inside the tools, vendors, and workflows they already trust. Paubox also pointed to familiar weak spots: relying on business associate agreements instead of technical safeguards, uneven protections between organizations and vendors, and poor visibility into how PHI is handled after it leaves the organization. Delta Dental fits that pattern. A trusted file-transfer workflow became the access point, and DFS treated the incident as a governance failure.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is 23 NYCRR Part 500?

23 NYCRR Part 500 is New York’s cybersecurity regulation for financial services companies supervised by the Department of Financial Services, including certain insurers.

What is data exfiltration?

Data exfiltration happens when an attacker removes or copies data from a system without authorization.

What is a retention control?

A retention control limits how long organizations store data, which helps reduce the amount of sensitive information available if a system is compromised.