NY Fines EyeMed $600K in Wake of Healthcare Data Breach Impacting 2.1M

January 26, 2022 - New York Attorney General Letitia James announced a $600,000 settlement with vision benefits provider EyeMed to resolve numerous allegations concerning a 2020 healthcare data breach that compromised the protected health information (PHI) of 2.1 million individuals.

The data breach occurred in June 2020, when cybercriminals gained access to an EyeMed email account containing customer names, Social Security numbers, addresses, insurance identification numbers, medical diagnoses, and medical treatment information.

Over the course of the one week that the attacker had access to the account, they had the ability to view emails and attachments dating back six years, the announcement explained.

Then, in July 2020, the attacker sent 2,000 phishing emails via the compromised email account. The emails were seeking login credentials to EyeMed client accounts. At this time, EyeMed’s IT department began an investigation and blocked the intrusion. EyeMed began notifying impacted individuals in September 2020.

“The Office of the Attorney General determined that, at the time of the attack, EyeMed had failed to implement multifactor authentication (MFA) for the affected email account, despite the fact that the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information,” the announcement stated.

“Additionally, EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information. The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents.”

As a result of these alleged failures, the personal information of millions of individuals was compromised.

Along with a $600,000 fine, EyeMed is required to implement updated security protocols to prevent future attacks. The company will have to maintain a comprehensive information security program and communicate cyber threats to company leadership and implement regular logging and monitoring of network activity.

EyeMed will also have to maintain account management and authentication protocols, including multi-factor authentication. EyeMed will also be required to conduct penetration testing, encrypt sensitive consumer information, and permanently delete personal information when there is no business or legal reason to retain it.

“New Yorkers should have every assurance that their personal health information will remain private and protected,” James said in the announcement.

“EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”