The Cincinnati-based eye benefits company has agreed to pay $600,000 and enhance several privacy and security protocols following a data breach that affected some 2.1 million patients in the US
A Cincinnati-based vision benefits provider has agreed to pay $600,000 in a settlement with the New York Attorney General’s Office over a 2020 data breach that exposed the personal data of some 2.1 million people across the country.
In a deal with AG Letitia James, EyeMed Vision Care agreed to pay the fine as well as adhere to several conditions:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regularly reporting to the company's leadership any security risks;
- Maintaining reasonable account management and authentication, including requiring the use of multi-factor authentication for all administrative or remote access accounts, and reviewing such safeguards annually;
- Encrypting sensitive consumer information that it collects, stores, transmits and/or maintains;
- Conducting a reasonable penetration testing program designed to identify, assess, and remediate security vulnerabilities within the EyeMed network;
- Implementing and maintaining appropriate logging and monitoring of network activity that are accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged; and
- Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.
“New Yorkers should have every assurance that their personal health information will remain private and protected,” James said in a press release. “EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals.”
According to the complaint, unknown hackers gained access at an EyeMed e-mail account in June 2020 for about a week, enabling them to search certain records dating back six years. The hackers used that information to send roughly 2,000 phishing e-mails in July, seeking log-in credentials for more accounts. The company spotted the e-mails, shut down the hackers’ access and began informing affected customers in September.
“The Office of the Attorney General determined that, at the time of the attack, EyeMed had failed to implement multifactor authentication (MFA) for the affected email account, despite the fact that the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information,” James’ office said in the press release. “Additionally, EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information. The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents.”
The breach affected 98,632 New York residents, the AG’s office said.
EyeMed is part of the global Luxottica eyewear and eyecare chain.
Eric Wicklund is the associate content manager and senior editor for Innovation at HealthLeaders.