Getty Images

EyeMed Vision Care to Pay $4.5M to NY Over Healthcare Data Breach

EyeMed Vision Care agreed to pay a $4.5 million penalty to New York State for Department of Financial Services violations stemming from a healthcare data breach.

As a result of an investigation into a 2020 healthcare data breach, vision insurer EyeMed Vision Care will pay a $4.5 million penalty to New York State for violating the Department of Financial Services (DFS) Cybersecurity Regulation, the department announced.

EyeMed suffered a data breach in June 2020 stemming from a phishing attack that impacted 2.1 million individuals. Over the course of a week, a bad actor was able to access a shared EyeMed email inbox containing consumer information, including Social Security numbers and medical treatment information that dated back six years.

The company previously reached a settlement agreement with the New York Attorney General’s Office for $600,000 to resolve allegations relating to the breach. The settlement also required EyeMed to conduct regular penetration testing, encrypt sensitive consumer information, and implement updated security protocols.

The DFS investigation reached similar conclusions surrounding the company’s alleged security failures and noted that EyeMed had violated its Cybersecurity Regulation by failing to implement multifactor authentication (MFA) throughout its email environment, which was required by the regulation. 

“Moreover, EyeMed failed to limit user access privileges by allowing nine employees to share login credentials to the affected email mailbox and failed to implement sufficient data retention and disposal processes, resulting in over six years’ worth of consumer data being accessible through the affected email mailbox,” the announcement noted.

“Had these controls been in place, the July 1, 2020 cybersecurity event could have been prevented or been limited in scope.”

Additionally, the DFS investigation revealed that EyeMed had failed to conduct an adequate risk assessment. In addition to the $4.5 million penalty, EyeMed agreed to conduct a comprehensive cyber risk assessment and develop an action plan for addressing the risks uncovered during the assessment.

“It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” said Adrienne A. Harris, superintendent of financial services.

“This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.” 

Next Steps

Dig Deeper on Cybersecurity strategies