Getty Images/iStockphoto

EyeMed Vision Care Reaches $2.5M Settlement Over Multistate Data Breach

This marks the third settlement EyeMed has reached over a 2020 data breach that impacted 2.1 million individuals.

Vision insurer EyeMed Vision Care reached a $2.5 million settlement with the states of New Jersey, Oregon, and Florida, following a 2020 data breach that impacted 2.1 million individuals. The multistate investigation exposed deficiencies in EyeMed’s data security program that contributed to the breach, a press release from New Jersey Attorney General Matthew J. Platkin stated.

The breach occurred when an unauthorized user gained access to an EyeMed email account in June 2020. The breach exposed six years of personal information, including names, Social Security numbers, addresses, phone numbers, dates of birth, medical diagnoses and conditions, treatment information, and vision insurance account numbers.

Following the unauthorized access, the threat actor sent approximately 2,000 phishing emails from the compromised account.

This announcement marks the third settlement reached in relation to this breach. In January 2022, New York Attorney General Letitia James announced a $600,000 settlement with EyeMed. The settlement also required EyeMed to implement updated security protocols to prevent future attacks.

In October 2022, EyeMed Vision Care agreed to pay a $4.5 million penalty to New York State for Department of Financial Services violations stemming from the same breach.

“New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” Platkin said. “This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data.”

In addition to the $2.5 million, EyeMed agreed to continue to develop and maintain a written information security program in compliance with state consumer protection laws and HIPAA. Additionally, EyeMed agreed to report all data breaches immediately, continue to employ an officer who is in charge of the information security program, and maintain controls to manage account access.

“The Division of Consumer Affairs is committed to protecting New Jersey residents and their personal information wherever it is stored,” said Cari Fais, Acting Director of the Division of Consumer Affairs. “Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures.”

Next Steps

Dig Deeper on Cybersecurity strategies