EyeMed Pays $600,000 Penalty to Resolve 2.1 Million-Record Data Breach

New York Attorney General Letitia James reported the first settlement of 2022 involving a healthcare data breach. The vision benefits company in Ohio, Med Vision Care, will pay $600,000 as a financial penalty to resolve a data breach in 2020 that resulted in the exposure of the personal information of 2.1 million people across the country, which includes the personal data of 98,632 New York locals.

The data breach took place on or approximately June 24, 2020, and allowed unauthorized persons to acquire access to an EyeMed email account containing sensitive consumer information made available in association with vision benefits registration and insurance. The attacker acquired access to the email account for approximately one week and had viewed email messages and attachments covering a span of 6 years beginning on January 3, 2014. The emails comprised a variety of sensitive information such as names, contact details, birth dates, account details for medical insurance accounts, driver’s license numbers, complete or partial Social Security numbers, Medicare/Medicaid numbers, government identification numbers, marriage/birth certificates, diagnoses, and health treatment data.

From June 24, 2020 to July 1, 2020, the attackers accessed the email account through a number of IP addresses, which include those from outside the U.S. On July 1, 2020, the attackers utilized the account to send close to 2,000 phishing emails to EyeMed customers. The EyeMed IT team noticed the phishing emails and received numerous queries from clients asking about the legitimacy of the email messages. The exposed account was then promptly secured.

The succeeding forensic investigation affirmed the attacker might have exfiltrated files from the email account when access was possible yet cannot establish whether any personal data was stolen. Impacted people were alerted in September 2020 and were given free credit checking, fraud consult, identity theft restoration services.

The Office of the New York Attorney General inspected the security occurrence and data breach and confirmed that, when the attack occurred, EyeMed was unable to employ appropriate security steps to stop unauthorized people from accessing the personal data of New York locals.

The email account may be viewed through a web browser and included substantial amounts of consumers’ sensitive details comprising a few years, but EyeMed was not able to employ multifactor authentication with the account. EyeMed additionally neglected to utilize enough password control requirements with regard to the email account. The password requirements for the account weren’t complicated enough, only demanding a password with 8 characters, when it knew the utmost importance of password difficulty because the password requirements for administrator-level accounts needed passwords having a minimum of 12 characters. EyeMed furthermore accepted 6 failed password attempts prior to locking out the user ID. EyeMed had additionally failed to retain sufficient email account sign-ins and wasn’t keeping track of email accounts, which made it tricky to identify and check out security incidents. It was likewise not reasonable to hold on to consumer information in the email account for a long time period. Older emails must be moved to more protected systems and be removed from the email account.

State attorneys general are permitted to require financial penalties for HIPAA violations as HIPAA violations can be cited; nevertheless, New York just mentioned New York General Business Law violations.

As per the provisions of the settlement, EyeMed must pay a financial fine of $600,000 and need to use a number of measures to strengthen security and avert more data breaches. Those steps comprise of:

  1. Having a complete information security program that is continually modified to keep up to speed with shifts in technology and security risks
  2. Having acceptable account management and authentication, such as the usage of multi-factor authentication for all admin or remote access accounts
  3. Encrypting sensitive end user information
  4. Doing a good penetration testing program to distinguish, examine, and remediate security problems
  5. Utilizing and keeping proper recording and tracking of system activity
  6. Completely removing consumers’ personal records when there is no good business or legal objective to save them.

New Yorkers must be confident that their personal health information (PHI) will be private and secured. EyeMed violated that trust by not monitoring its own security system, which sequentially breached the personal data of a huge number of persons. Attorney General James says that his office will continue to make firms responsible and make certain to take into consideration the best interest of New Yorkers. Potential violations are going to be actively checked to keep New Yorkers safe including their personal data.