EyeMed Vision Care (“EyeMed”), an Ohio-based health insurance company, has been ordered to pay a $4.5 million fine by the New York State Department of Financial Services (DFS). The fine resulted from an investigation into potential violations of the DFS Cybersecurity Regulations.
As part of its practices as a licensed health insurance company, EyeMed collects highly sensitive data from its customers. On July 21, 2020, EyeMed notified the DFS that one of its employees responded to a phishing email and sent the attacker credentials that gave access to a shared EyeMed mailbox. The mailbox contained private patient data from the past 6 years, including patients that were minors.
During the phishing attack, over 2,000 further phishing emails were sent to EyeMed clients, encouraging the recipient to disclose their EyeMed login credentials. EyeMed was only made aware of the attack when their customers complained about receiving phishing emails. The private information of around 2.1 million customers was contained in that mailbox, 98,632 of whom lived in New York.
After an internal investigation by EyeMed, it was discovered that the attacker had unauthorized access to the EyeMed mailbox between June 24 and July 1, 2020 (when the breach was discovered).
The email inbox was not protected by multi-factor authentication, easing access to the account for the attacker. Nine different employees had access to the account, meaning that EyeMed had not sufficiently restricted user access privileges. Additionally, EyeMed did not implement correct data retention limits, or have an adequate data disposal protocol. All of these issues meant that EyeMed was in violation of the DFS Cybersecurity Regulation (23 NUCRR Part 500).
It also highlights the importance of ensuring the correct protocols are in place. Multi-factor authentication could have completely prevented the breach, while adequate storage and disposal policies may have lessened its impact. The DFS also found that the cybersecurity certifications for 2018 and 2021 were invalid.
The DFS also found that EyeMed had not carried out an adequate risk assessment, again leaving the data vulnerable to attack. The risk assessment – required under the DFS Cybersecurity Regulations – would have highlighted the above failings, allowing EyeMed to initiate corrective procedures.
EyeMed agreed to settle with the DFS, paying a $4.5 million fine for their violations. They also agreed to conduct a comprehensive risk assessment and develop a cybersecurity action plan. These must both be reviewed and approved by the DFS.