New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

The first healthcare data breach settlement of 2022 has been revealed by Letitia James, Attorney General for New York .

EyeMed Vision Care, an Ohio-based vision benefits supplier, has committed to handing over a fine of $600,000 to settle a 2020 data breach that resulted in the personal data of 2.1 million people being impacted around the country, incorporating the personal data of 98,632 New York citizens.

The data breach took place at some point around June 24, 2020, and resulted in unauthorized people obtaining access to an EyeMed email account that included private consumer data handed over for vision benefits enrollment and coverage. The cybercriminal was able to access the email account for almost a week and could view emails and attached files from a period of six years as far back as January 3, 2014. The emails included a variety of sensitive data such as contact details, birth dates, account details for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid information, driver’s license information, government IDs, birth/marriage certificates, diagnoses, and medical treatment specifics.

From June 24, 2020 to July 1, 2020, the hackers logged into the account from a range of IP addresses, including some external to the United States and on July 1, 2020, the account was used to broadcast almost 2,000 phishing emails to EyeMed clients. The EyeMed IT department discovered the phishing emails and received many inquiries from clients asking about the legitimacy of the emails. The impacted account was then quickly shut down.

The forensic investigation into the breach found that the hacker could have downloaded data from the email account while access was open but could not confirm if any personal information was removed illegally. Impacted individuals were made aware of the breach in September 2020 and were given the chance of availing of free credit monitoring, fraud consultation, identity theft restoration services.

The Office of the New York Attorney General examined the security breach and found that , when the attack took place, EyeMed had not configured adequate security measures to stop unauthorized people from obtaining access to the personal data of New York citizens.

The email account remained accessible through a web browser and included large amounts of consumers’ sensitive information spanning many years, yet EyeMed had failed to configure multi factor authentication on the account. EyeMed also did not put in place proper password management requirements for the email account. The password requirements for the account were not complex enough, only requiring a password of 8 characters, when it was conscious of the importance of password complexity as the password requirements for admin-level accounts demanded passwords of a minimum of 12 characters. EyeMed also permitted six failed password attempts before disabling the user ID. EyeMed also did not put in place adequate logging of email accounts and was not monitoring email accounts, which made it trickier to spot and investigate security incidents. It was also unreasonable to retain consumer data in the email account for such a long period of time. Older emails should have been transferred to more secure systems and be deleted from the email account.

State attorneys general have the authority to sanction fines for HIPAA breaches and it would have been possible to cite breaches of HIPAA; however, New York only cited breaches of New York General Business Law.

As per the terms of the settlement, EyeMed only has to pay a fine of $600,000 and must configure a range of measures to enhance security and stop additional data breaches. Those measures are:

  • Keeping a thorough information security program that is constantly updated to keep up with new technology and security threat trends.
  • Managing reasonable account management and authentication, such as the implementation of multi-factor authentication for all administrative or remote access accounts
  • Encrypting private consumer data
  • Conducting a reasonable penetration testing schedule to spot, assess, and address remediate security flaws.
  • Putting in place and managing appropriate logging and monitoring of network activity
  • Permanently removing consumers’ private data when there is no reasonable business or legal purpose to keep it.

Attorney General James commented: “New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”