⚠️ Enforcement Alert May 2026 · 8 min read

$2.25 Million Fine.
Five Violations.
All Preventable.

A major dental insurer just paid $2.25 million for cybersecurity failures that mental health practices make every single day. Here is what happened — and what your practice must do right now.

$2.25M
Settlement fine paid
Delta Dental Insurance & Delta Dental of New York New York Department of Financial Services · 2023 data breach affecting 7.1 million customers · Russian cybercriminal group Clop exploited a zero-day vulnerability in file transfer software
What Happened

7.1 million records. One unpatched vulnerability. One holiday weekend.

Over Memorial Day weekend 2023, a Russian-speaking cybercriminal group known as Clop exploited a zero-day vulnerability in Progress Software's MOVEit Transfer — a managed file transfer solution used by thousands of organizations. They accessed Delta Dental's systems between May 27 and May 30, 2023, and exfiltrated approximately 60,000 files containing names, addresses, Social Security numbers, driver's license numbers, financial account information, and protected health information.

Delta Dental was one of around 2,700 companies hit by these automated mass exploitation attacks. But the fine did not come from getting hacked. The fine came from what Delta Dental failed to have in place before, during, and after the attack.

7.1M
Customers whose data was stolen
60K
Files exfiltrated in the attack
$2.25M
Fine paid to regulators
The Five Violations

They did not get fined for getting hacked.
They got fined for these.

The New York Department of Financial Services identified five specific regulatory violations. Every single one of them is a gap that exists in the majority of small to medium mental health practices operating today.

01
Violation 1 — Notification Failure
Failed to notify regulators within 72 hours of discovering the breach
Delta Dental discovered the breach on June 1, 2023 but did not notify the New York Department of Financial Services until December 15, 2023 — more than six months later. Under both HIPAA and New York cybersecurity regulations, covered entities are required to notify regulators within 72 hours of discovery.
N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.17(a)(1) · HIPAA Breach Notification Rule
02
Violation 2 — No Written Incident Response Policy
No written policy addressing how to respond to a cybersecurity incident
Delta Dental did not have a documented incident response policy that met regulatory requirements. When a breach occurs, your team needs a written playbook — who to call, what to document, how to notify regulators, and how to contain the damage. Without it, the response is improvised and regulators see it as negligence.
23 NYCRR § 500.3(n) · HIPAA Security Rule § 164.308(a)(6)
03
Violation 3 — Incomplete Incident Response Plan
Written incident response plan did not cover regulatory reporting obligations
Even where a plan existed, it did not address the organization's specific obligations to notify regulators. Having a plan that says "contact IT" is not enough. A compliant incident response plan must explicitly define who notifies which regulators, on what timeline, and using what method.
23 NYCRR § 500.16(b)(6) · HIPAA § 164.308(a)(6)(ii)
04
Violation 4 — No Data Disposal Policies
No written policies for securely disposing of data no longer needed for business
Delta Dental had no written policies governing when or how to delete data that was no longer needed. HIPAA and cybersecurity regulations require covered entities to have documented procedures for the secure disposal of PHI and sensitive data. Data you do not have cannot be stolen.
23 NYCRR § 500.13 · HIPAA Security Rule § 164.310(d)(1)
05
Violation 5 — Excessive Data Retention
Data held far longer than necessary — with no governance over retention settings
The investigation found that most stolen data had been sitting on the server for more than 30 days. Delta Dental had changed default retention periods from 30 to 45 to 60 days for many folders — and some folders had data retention settings completely disabled. There were no written policies governing who could change retention settings, or how those changes were reviewed and approved.
HIPAA Minimum Necessary Standard · § 164.514(b)
Why Mental Health Practices Are More Vulnerable

Delta Dental had an entire compliance department.
Your practice probably does not.

Delta Dental is a large insurance organization with dedicated compliance, legal, and IT teams. They still had all five of these gaps. Small and medium mental health practices — where one person often wears every hat — face exactly the same regulatory requirements with a fraction of the resources.

But there is a critical difference: mental health records carry some of the most sensitive legal protections in healthcare. Psychotherapy notes, substance use disorder records under 42 CFR Part 2, and mental health treatment information are subject to stricter protections than standard medical records. The regulatory exposure is higher, not lower.

⚠️ Is Your Practice Exposed Right Now?

If your practice cannot answer yes to all five of these questions, you have the same gaps that cost Delta Dental $2.25 million — and OCR enforces the same rules against solo practices as it does against large insurers.

Do you have a written incident response policy?One that names who to call, what to document, and which regulators to notify within 72 hours?
Do you have a written data disposal policy?One that covers how and when patient records, transcripts, and files are securely deleted?
Do you know where all your patient data lives right now?Every device, every cloud service, every vendor who has access to your PHI?
Do you have signed BAAs with every vendor who touches patient data?Your EHR, your video platform, your billing company, your IT support provider?
Have you completed a formal HIPAA Risk Assessment in the last 12 months?A documented, written assessment — not an internal conversation or a checklist from a website?
💡 The Takeaway

Delta Dental did not get hacked because they were careless. They got fined because when the breach happened, they had no documented processes in place to respond correctly. The hackers caused the breach. The missing policies caused the $2.25 million fine. Those are two separate problems — and the second one is entirely within your control.

What Your Practice Should Do Right Now

Five gaps. Five fixes. All achievable without a compliance department.

You do not need to be a large organization to be compliant. What you need is the right documentation, the right policies, and the right systems — reviewed at least annually. Here is exactly what addresses each violation:

01
Fix for Violation 1
Set up a 72-hour breach notification protocol today
Know your regulators' contact information now — before an incident happens. Under HIPAA, you notify HHS OCR within 60 days of discovery (72 hours for the largest breaches). Under state laws the timeline may be shorter. Write down the three steps your team takes the moment a potential breach is discovered and post it where everyone can see it.
02
Fix for Violations 2 & 3
Create a written incident response plan that names names and timelines
Your incident response plan must include: who is responsible for each step, which regulators to contact and by when, how you document the incident, and what patient notifications look like. A one-page written plan that is followed correctly is infinitely more valuable to OCR than a sophisticated plan that sits in a drawer.
03
Fix for Violations 4 & 5
Document your data retention and disposal policy — then enforce it
Know where your patient data is, how long you are required to keep it, and exactly how it gets deleted when retention periods end. State laws govern minimum retention periods for mental health records — typically 7-10 years. But data you no longer need must be disposed of securely. "We just delete it" is not a policy. A written procedure that documents what gets deleted, when, and how — that is a policy.

Is your practice protected?

PsychAssistAI offers HIPAA compliance consulting specifically for mental health practices. We help you identify gaps, build the documentation you need, and put systems in place — before an incident happens.

Talk to Our Team

(571) 214-6228 · support@psychassistai.com · psychassistai.com