New York Attorney General Letitia names has fined EyeMed Vision Care $600,000 in an agreement that resolves a 2020 data breach that compromised the personal information of about 2.1 million consumers nationwide, including 98,632 people in New York. Cincinnati, Ohio–based EyeMed — which provides vision benefits to members of vision plans offered by both licensed […]
New York Attorney General Letitia names has fined EyeMed Vision Care $600,000 in an agreement that resolves a 2020 data breach that compromised the personal information of about 2.1 million consumers nationwide, including 98,632 people in New York.
Cincinnati, Ohio–based EyeMed — which provides vision benefits to members of vision plans offered by both licensed underwriters and employers — was hit with a data breach in which attackers gained access to an EyeMed email account with sensitive customer information, per a Jan. 24 news release from the attorney general’s office.
The compromised information included consumers’ names, mailing addresses, Social Security numbers, identification numbers for health and vision insurance accounts, medical diagnoses and conditions, and medical-treatment information. The intrusion permitted the attacker access to emails and attachments with “sensitive” customer information dating back six years prior to the attack.
“New Yorkers should have every assurance that their personal health information will remain private and protected,” James said. “EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals.”
EyeMed “neither admits nor denies” the findings of James’ office, per a document detailing the settlement agreement that was posted on the attorney general’s website.
Agreement terms
As part of the settlement, EyeMed has agreed to pay the state of New York $600,000 in penalties.
In addition, EyeMed is required to adopt a series of measures to protect consumers’ personal information from cyberattacks in the future.
They include maintaining a “comprehensive” information-security program that includes regular updates to keep pace with changes in technology and security threats, as well as regularly reporting to the company’s leadership any security risks.
The firm is also maintaining “reasonable” account management and authentication, including requiring the use of multi-factor authentication for all administrative or remote-access accounts, and reviewing such safeguards annually.
EyeMed is encrypting sensitive consumer information that it collects, stores, transmits, and/or maintains. It is also conducting a “reasonable” penetration-testing program designed to identify, assess, and remediate security vulnerabilities within the EyeMed network.
The company is also implementing and maintaining “appropriate” logging and monitoring of network activity that are accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged.
EyeMed is also permanently deleting consumers’ personal information when it has no “reasonable” business or legal purpose to retain it.
About the attack
In June 2020, attacker(s) accessed an EyeMed email account, which company clients used to provide sensitive consumer data in connection with vision-benefits enrollment and coverage.
The intrusion, which lasted about a week, allowed the attacker to view emails and attachments dating back six years, including consumers’ names, addresses, Social Security numbers, and insurance account numbers, per James’ office.
In July 2020, the attacker sent about 2,000 phishing emails from the compromised email account to EyeMed clients, seeking login credentials for their accounts. EyeMed’s information-technology (IT) department noticed the phishing emails and also received inquiries from clients about these emails.
EyeMed then blocked the attacker’s access to its system and began investigating the intrusion.
In September 2020, the company began notifying affected consumers whose personal information was compromised during the breach. As part of the notification, the company offered affected customers identity-theft protection services.
James’ office determined that, at the time of the attack, EyeMed had “failed to implement” multifactor authentication for the affected email account, despite the fact that the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information. Additionally, EyeMed “failed to adequately implement” sufficient password-management requirements for the enrollment email account given those factors.
The company also “failed to maintain” adequate logging of its email accounts, which made it difficult to investigate security incidents, James’ office said.