Healthplex Inc. Consent Order with NY DFS

1 NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES ONE STATE STREET NEW YORK, NEW YORK 10004 ---------------------------------------- --------------x In the Matter of: HEALTHPLEX, INC.: ---------------------------------------- --------------x CONSENT ORDER The New York State Department of F inancial Services (the “Department” or “DFS”) and Healthplex, Inc. (“Healthplex” or the “Company”) are willing to resolve the matters de scribed herein without further proceedings. WHEREAS, Healthplex is licensed by the Department as an independent adjuster and as a life and/or accident health insurance agent; WHHEREAS, Healthplex provides clients with dental insurance mana gement services and has extensive experience in both government-funded and commerc ial dental programs;

2 WHEREAS, August 29, 2017, marked the initial effective da te of New York’s first - in - the- nation cybersecurity regulation, 23 NYCRR Part 500 (the “Cybersec urity Regulation”) 1; WHEREAS, the Cybersecurity Regulation defines clear standards for cooperative industry compliance, robust consumer data protection, vital cybersecurity controls, timely notification of reportable Cybersecurity Events, as defined by 23 NY CRR § 500.01(d), and was promulgated to strengthen cybersecurity and data protection for the industry and consumers; WHEREAS, the Department has been investigating a Cybersecurity Event experienced within Healthplex, as well as Healthplex’s compliance with the Cybe rsecurity Regulation; and WHEREAS, based on the investigation the Department has concluded that Healthplex violated the following sections of the Cybersecurity Regulation: (1) 23 NYCRR § 500.12, which requires Covered Entities to implement multi- factor authentication (“MFA”) for an y individual accessing the Covered Entity’s internal networks from an external network, or reasonably equivalent or more secure access controls approved in writing by the Chief I nformation Security Officer; (2) 23 NYCRR § 500.13, which requires Covered Entities to develop policies and procedures for the secure disposal of Nonpublic Information (“NPI”); (3) 23 NYCRR § 500.17(a), which requires Covered Entities to notify the superintendent as promptly as possible, but in no event later than seventy-two (72) hours from a determination that a reportable Cybersecurity Event has occurred, of such Cybersecurity Event; and (4) 23 NYCRR § 500.17(b) which requires Covered Entities to certify that they are in compliance with the requirements of the Cybersecurity Regulation. 1 All citations to 23 NYCRR Part 5 00 herein refer to the Cybersecurity Regu lation as it read prio r to November 1, 2023.

3 NOW THEREFORE, in connection with an agreement to resolve this matter w ithout further proceedings, the Departme nt finds as follows: THE DEPARTMENT’S FINDINGS Introduction 1. The Department is the insurance regulator of the State of New York. The Superintendent of Financial Services is responsible for ensuring the safety and soundness of New York’s insurance industry and promoting the reduction and elimination of fraud, a buse, and unethical conduct with respect to insurance licensees. 2. The Superintendent has authority to conduct investigations, bring enforcement proceedings, levy monetary pena lties, and order injunctive relief against parties who have violated the relevant laws and regulations. 3. Among her many roles is the Superintendent’s consumer protection function, which includes the critical protection of individuals’ private and personally sensitive data from careless, negligent, or willful exposures by licensees of the De partment. 4. To support this critical obligation, the Cybersecurity Regulation places on a ll DFS- regulated entities (“Covered Entities”), inc luding Healthplex, an obligation to establish and maintain a cybersecurity program, based on a risk assessment and designed to protect the confidentiality, integrity, and availability of its I nformation Systems and NPI contained therein. 23 NYCRR §§ 500.1(c), 500.1(e), 500.1(g), 500.1(k), 500.2(b). 5. The Cybersecurity Regulation also contains requirements to protec t Covered Entities’ internal networks from threat actors see king to access and exploit NPI. Specifically, Section 500.12(b) requires that Covered Entities implement MF A “for any individual ac cessing the Covered Entity’s internal networks from an external network.” 23 NYCRR §§ 500.01(f),

4 500.12(b). MFA requires two or more distinct authentication fa ctors for successful access, such that username and password credentials alone are insufficient for access. MFA is the first line of defense against attempts to gain unauthorized access to accounts, including through phishing emails, which are emails sent by cyber attackers to deceive users into providing personal details or other confidential information to permit unauthorized access or harm to protected information systems. 6. To further ensure the security and protection of NPI a nd prevent Cybersecurity Event(s), as defined below, Covered Entities must also implement “policies and pr ocedures for the secure disposal on a periodic basis of any [NPI] . . . that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity.” 23 NYCRR § 500.13. 7. A “Cybersecurity Event” is an act or atte mpt, whether or not successful, to gain unauthorized access to information stored on an information system or disrupt or misuse such information system. 23 NYCRR § 500.01(d). Covered Entities must notify the Department of certain Cybersecurity Events pursuant to 23 NYCRR §§ 500.17(a). 8. Finally, Covered Entities are required to submit an annual certification to the Department regarding their compliance with the Cybersec urity Regulation. 23 NYCRR § 500.17(b). A Covered Entity should not certify that it is in compliance with the Cybersecurity Regulation when in fact it is not. Events at Issue The Cybersecurity Event 9. Healthplex reported a Cybersecurity Event to the Department on April 8, 2022 (the “Cyber Event”). Healthplex reported that a n employee’s email a ccount was compromised

5 due to that employee (the “Acc ount Associate”) receiving and clicking on a phishing email. As a result, the NPI of tens of thousands of New York residents was acce ssible, including names, addresses, dates of birth, social security numbers, financial inform ation, driver’s license numbers, and personal health information. Not all data elements were available for all individuals. 10. Healthplex first became aware of the Cyber Event on November 24, 2021, when employees received a suspicious email from the Account Associate and reported it internally. 11. In response to the Cyber Event, Healthplex conducted a forensic review and determined that the original phishing email, sent on November 22 or 23, 2021, invited the employee to enter their business email login credentials to receive a fax message, which they did. This allowed the threat actor access to the employee’s Microsoft Office 365 account (“O365”). Data Retention and MFA Implementation 12. Upon investigation, the Department found that Healthplex failed to have a data retention policy in place on its O365 environment and that MFA was not enabled for Healthplex’s Outlook Web Access at the time the original phishing email was received. 13. The Account Associate is a customer service employee whose job role and responsibilities involved assisting with Customer Service Reque sts and providing support to clients and had been employed by the company for approximately twe nty (20) years. 14. Proper disposal processes minimize the amount of NPI accessible to an unauthorized third party during a Cybersecurity Event. Due to the lack of a data re tention policy at Healthplex, as required by 23 NYCRR § 500.13, the compromised email box contained ove r one hundred thousand emails, all of which were accessible to the threat actor. These emails contained the private health data and NPI of te ns of thousands of consumers.

6 15. Pursuant to Section 500.12(b) of the Cybersecurity Regulation, MFA must be utilized for individuals accessing a Covered Entity’s internal network from an external network. 16. While Healthplex had MFA in place on its previous email environment, when it migrated to O365 earlier in 2021, Healthplex failed to ensure that the MFA function was completely operational for those accessing O365 from an e xternal web browser, in violation of 23 NYCRR § 500.12(b). 17. As such, the threat actor was able to access the Account Associate’s email box through a web browser without having to bypass any MFA controls. Notice of the Cyber Event 18. Section 500.2(b) of the Cybersecurity Regulations details the core cybersecurity functions that a Covered Entity’s cybersec urity program should be designed to perform. One such core function is that a cybersecurity program must be designed to ensure that a Covered Entity is able to “fulfill applicable regulatory reporting obligations.” 23 NYCRR § 500.2(b)(6). 19. One such regulatory reporting requirement is contained in Section 500.17(a) of the Cybersecurity Regulation. Pursuant to Section 500.17(a), a Covered Entity is required to notify the Superintendent as promptly as possible, but in no event later than seventy-two (72) hours, from a determination that a reportable cybersecurity event has occurred. 20. Healthplex first learned of the Cybersecurity Event on November 24, 2021. Through its investigation, Healthplex determined that the compromised email box contained NPI, and necessitated the provision of notice to ce rtain government bodies. Healthplex reported the Cyber Event to the Department on April 8, 2022.

7 Part 500 Compliance Certification 21. Pursuant to 23 NYCRR § 500.17(b), Covere d Entities are required to annually certify to the Department that they are in compliance with the Cybersecurity Regulation. 22. Healthplex certified compliance with the Cybersecurity Regulation for the 2018 calendar year on February 8, 2019. 23. Healthplex certified compliance with the Cybersecurity Regulation for the 2019 calendar year on August 27, 2020. 24. Healthplex certified compliance with the Cybersecurity Regulation for the 2020 calendar year on April 12, 2021. 25. Healthplex certified compliance with the Cybersecurity Regulation for the 2021 calendar year on April 15, 2022. 26. Although Healthplex’s certifications were timely, in light of the fore going findings, Healthplex was not in compliance with the Cybersec urity Regulation at the time of the certifications. 27. Thus, Healthplex’s certifications for the calendar years 2018 through 2021, attesting to its compliance with the Cybersecurity Regulation, were improper. Violations of Law and Regulations 28. At the time of the Cyber Event, Healthplex had not fully implemented MFA on its O365 environment, and no reasonably equivalent or more secure access controls were a pproved in writing by the Company’s Chief Information Security Officer, in violation of 23 N YCRR § 500.12(b). 29. Healthplex failed to include policies and procedures for the secure disposal on a periodic basis of NPI in its cybersecurity program, in violation of 23 NYCRR § 500.13.

8 30. Healthplex failed to notify the Departme nt of the Cyber Event within seventy -two hours, in violation of 23 NYCRR § 500.17(a). 31. Healthplex improperly certified compliance with the Cybersec urity Regulation for the calendar years 2017-2021, in violation of 23 NYCRR § 500.17(b). NOW THEREFORE, to resolve this matter without further proceedings, the Department and the Company stipulate and agree to the following terms and conditions: SETTLEMENT PROVISIONS Monetary Penalty 32. No later than ten (10) days after the Effective Da te (as defined below) of this Consent Order, the Company shall pay a total civil monetary penalty pursuant to Financial Services Law § 408 to the Department in the amount of Two Million Dollars and 00/100 Cents ($2,000,000). The payment shall be in the form of a wire transfer in accordance with instructions provided by the Department. 33. The Company shall not claim, assert, or apply for a tax deduction or tax credit with regard to any U.S. federal, state, or local tax, directly or indirec tly, for any portion of the civil monetary penalty paid pursuant to this Consent Order. 34. The Company shall neither seek nor acce pt, directly or indirectly, reimbursement or indemnification with respect to payment of the penalty amount, including but not limited to, payment made pursuant to any insurance policy. 35. In assessing a penalty for failures in cybersecurity compliance and required reporting, the Department has taken into account factors that include, without limitation: the extent to which the entity has cooperated with the Departme nt in the investigation o f such

9 conduct, the gravity of the violations, and such other matter s as justice and the public interest may require. 36. The Department acknowledges Healthplex’s coopera tion throughout this investigation. The Department also recognizes and credits Healthplex’s ongoing efforts to remediate the shortcomings identified in this Consent Orde r, including enabling MFA for web brows er access to Healthplex’s O365 environment and adopting a record retention policy. Remediation 37. Healthplex shall continue to strengthen its controls to protect its I nformation Systems and the NPI it maintains in accordance with the requirements of the Cybersecurity Regulation. MFA Audit 38. Within sixty (60) days of the Effective Da te of this Consent Order, the Company shall hire a third-party auditor to conduct an audit of current MFA controls related to the (1) integrated infrastructure in which the Healthplex business opera tes; and (2) shared systems that support Healthplex’s core business functions, such as O365, Azure, and claims system (the “MFA Audit”). The Department’s approval of the third -party auditor shall not be unreasonably withheld. 39. The MFA Audit shall be completed within ninety (90) da ys following hiring the third-party auditor. Healthplex shall submit the results of the MFA Audit to the Depa rtment. 40. To the extent material issues are discovered in the MFA Audit, Healthplex will remediate those issues within a reasonable timeframe agree d to by the Department. Healthplex will provide proof of remediation to the Depa rtment upon completion.

10 Full and Complete Cooperation 41. The Company commits and agree s that it will fully cooperate with the Department regarding all terms of this Consent Order. Further Action by the Department 42. No further action will be taken by the Department against the Company or its successors for the conduct set forth in this Consent Order, or in connection with the remediation set forth in this Consent Order, provided that the Company fully complies with the terms of the Consent Order. 43. Notwithstanding any other provision in this Consent Order, however, the Department may undertake additional action aga inst the Company for transactions or conduct that were not disclosed in the written materials submitted to the Department in connection with this matter. Waiver of Rights 44. The Company submits to the authority of the Superintendent to effec tuate this Consent Order. 45. The parties understand and agree that no provision of this Consent Order is subject to review in any court, tribunal, or agency outside of the De partment. Parties Bound by the Consent Order 46. This Consent Order is binding on the Department and the Company, as we ll as any successors and assigns. This Consent Order does not bind any federal or other state agency or any law enforcement authority.

11 Breach of Consent Order 47. In the event that the Department believes the Company to be in material breac h of the Consent Order, the Department will provide written notice to the Company, and the Company must, within ten (10) days of receiving such notice, or o n a later date if so determined in the Department’s sole discretion, appear before the Department to demonstrate that no material breach has occurred or, to the extent pertinent, that the bre ach is not material or has been cured. 48. The Company understands and agrees that its failure to make the required showing within the designated time period shall be presumptive evidence of the Company’s breach. Upon a finding that a breach of this Consent Order has occurre d, the Department has a ll the remedies available to it under the New York Insurance and Financial Services Laws, and any other applicable laws, and may use any evidence available to the Depa rtment in any ensuing hearings, notices, or orders. Notices 49. All notices or communications regarding this Consent Order shall be sent to: For the Department: Avery Heisler Assistant Deputy Superintendent Consumer Protection and Financial Enforcement New York State Department of Financial Services One State Street New York, New York 10004 Madeline W. Murphy Deputy Director of Enforcement Consumer Protection and Financial Enforcement New York State Department of Financial Services One Commerce Plaza Albany, New York 12257

12 For Healthplex: Shannon Lepage Chief Executive Officer Healthplex, Inc. 1985 Marcus Avenue, Suite 110 New Hyde Park, New York 11042 Miscellaneous 50. This Consent Order and any dispute thereunder shall be governe d by the laws of the State of New York without regard to any conflicts of laws principle s. 51. This Consent Order may not be altered, modified, or change d unless in writing and signed by the parties hereto. 52. This Consent Order constitutes the entire agreement between the Depa rtment and the Company and supersedes any prior communication, understanding, or agreement, whether written or oral, concerning the subject matter of this Consent Order. 53. Each provision of this Consent Order shall remain effective a nd enforceable against the Company, its successors, and assigns, until stayed, modified, suspended, or terminated by the Department. 54. In the event that one or more provisions contained in this Consent Order shall for any reason be held to be invalid, illegal, or unenforcea ble in any respect, such invalidity, illegality, or unenforceability shall not affect any other provision of this Consent Order. 55. No promise, assurance, represe ntation, or understanding other than those contained in this Consent Order has been made to induce any party to agree to the provisions of this Consent Order. 56. Nothing in this Consent Order shall be construed to prevent any c onsumer or any other third party from pursuing any right or remedy at law.

13 57. This Consent Order may be executed in one or more counterparts and shall become effective when such counterparts have been signed by each of the parties hereto (the “Effective Date”). [remainder of this page intentionally left blank ]

14 IN WITNESS WHEREOF, the parties have caused this Consent Order to be signed on the dates set forth below. NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES By: _______________________ MADELINE W. MURPHY Deputy Director of Enforcement Consumer Protection and Financial Enforcement August , 2025 By: ____________________ CHRISTOPHER B. MULVIHILL Deputy Superintendent for Consumer Protection and Financial Enforcement August , 2025 By: _________ _______ ____ R. GABRIEL D. O’MALLEY Executive Deputy Superintendent for Consumer Protection and Financial Enforcement August , 2025 HEALTHPLEX, INC. By: _________ _______ ____ SHANNON LEPAGE Chief Executive Officer August , 2025 THE FOREGOING IS HEREBY APPROVED. IT IS SO ORDERED. __________________________ ADRIENNE A. HARRIS Superintendent of Financial Services August ___, 2025 /s/ Shannon LePage 6 /s/ Madeline W. Murphy /s/ R. Gabriel D. O'Malley /s/ Christopher B. Mulvihill /s/ Adrienne A. Harris 14 14 14 14