EyeMed on the hook for $600K after 2.1M record breach

New York Attorney General Letitia James announced this week that the vision-coverage benefits provider had also agreed to enact a series of measures to protect customer information.
By Kat Jercich
11:40 AM

New York State Attorney General Letitia James announced this week that vision-coverage benefits provider EyeMed had agreed to pay the state $600,000 in the wake of a massive data breach in 2020.  

According to the Office of the Attorney General, the incident affected about 2.1 million U.S. residents, including 98,632 in New York.  

"Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest," said James.   

WHY IT MATTERS  

According to the agreement, in June 2020, a still-unknown attacker gained access to an EyeMed email account for about a week.

That intrusion allowed them to view emails and attachments dating back six years, containing information such as names, contact information, dates of birth, full or partial Social Security numbers, Medicaid numbers, Medicare numbers, driver's license or other government ID numbers, birth or marriage certificates, medical diagnoses and conditions, and medical treatment information.  

Then, on July 1, 2020, the bad actor sent about 2,000 phishing emails from the enrollment email account to EyeMed clients in an apparent attempt to gain more credentials.   

"EyeMed blocked the attacker’s access to the email account, and EyeMed’s internal IT team began investigating the scope of the incident," read the agreement.  

The New York Attorney General's investigation identified several areas where EyeMed's practices failed to meet legal requirements to protect customers' personal information:

  • Authentication. EyeMed had not implemented multi-factor authentication for the affected email account.
  • Password Management. The company set a minimum password length of only eight characters for the affected email account. It allowed six failed login attempts before locking out the ID, and the attacker gained access with a password the AG called "insufficiently complex."
  • Logging and Monitoring. At the time of the attack, EyeMed used an Office 365 E3 license for the email account, which left it unable to see when mail items were accessed; when mail items were replied to or forwarded beyond 90 days; or identify when a user searched and what the user searched for. 
  • Data Retention. The account contained emails with consumer’s personal information dating back to January 3, 2014, which the AG's office called "unreasonable."  

The settlement notes that EyeMed neither admits nor denies the above findings.  

In addition to the fine, EyeMed is required as part of the agreement to enact a series of measures to protect consumer information, including, among other provisions:

  • maintaining a comprehensive information security program
  • requiring the use of multifactor authentication for all administrative or remote access accounts
  • encrypting sensitive consumer information
  • permanently deleting personal data when there is no reasonable business or legal purpose to retain it

"My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information," said James.  

THE LARGER TREND  

Unfortunately for organizations hit with cyberattacks, the consequences sometimes go beyond data exposure.

The federal government has levied millions of dollars in fines in the name of potential HIPAA violations after breaches.

Private citizens have also put their own pressure on organizations' wallets, with some bringing class-action lawsuits accusing vendors and providers of failing to adequately protect their information.   

ON THE RECORD  

"New Yorkers should have every assurance that their personal health information will remain private and protected," said James in a statement. "EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals."  

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.