EyeMed on the hook for $600K after 2.1M record breach

New York Attorney General Letitia James announced this week that vision coverage benefits provider EyeMed had agreed to pay the state $600,000 in the wake of a massive data breach in 2020.  

According to the Office of the Attorney General, the incident affected about 2.1 million U.S. residents, including 98,632 in New York.  

“Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest,” said James.   


According to the agreement, in June 2020, a still-unknown attacker gained access to an EyeMed email account for about a week.

That intrusion allowed them to view emails and attachments dating back six years, containing information such as names, contact information, dates of birth, full or partial Social Security Numbers, Medicaid numbers, Medicare numbers, driver’s license or other government ID numbers, birth or marriage certificates, medical diagnoses and conditions, and medical treatment information.  

Then, on July 1, 2020, the bad actor sent about 2,000 phishing emails from the enrollment email account to EyeMed clients in an apparent attempt to gain more credentials.   

“EyeMed blocked the attacker’s access to the email account, and EyeMed’s internal IT team began investigating the scope of the incident,” read the agreement.  

The New York Attorney General’s investigation identified several areas where EyeMed’s practices failed to meet legal requirements to protect customers’ personal information:

  • Authentication: EyeMed had not implemented multi-factor authentication for the affected email account.
  • Password Management: The company set a minimum password length of only eight characters for the affected email account; it allowed six failed login attempts before locking out the ID; and the attacker gained access with a password the AG called “insufficiently complex.”
  • Logging and Monitoring: At the time of the attack, EyeMed used an Office 365 E3 license for the email account, which left it unable to see when mail items were accessed; when mail items were replied to or forwarded beyond 90 days; or to identify when a user searched and what the user searched for. 
  • Data Retention: The account contained emails with consumer’s personal information dating back to January 3, 2014, which the AG’s office called “unreasonable.”  

The settlement notes that EyeMed neither admits nor denies the above findings.  

In addition to the fine, EyeMed is required as part of the agreement to enact a series of measures to protect consumer information, including maintaining a comprehensive information security program; requiring the use of multi-factor authentication for all administrative or remote access accounts; encrypting sensitive consumer information; and permanently deleting personal data when there is no reasonable business or legal purpose to retain it; among other provisions.  

“My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information,” said James.  


Unfortunately for organizations hit with cyber attacks, the consequences sometimes go beyond data exposure.  

The federal government has levied millions of dollars in fines in the name of potential HIPAA violations after breaches.

Private citizens have also put their own pressure on organizations’ wallets, with some bringing class-action lawsuits accusing vendors and providers of failing to adequately protect their information.   


“New Yorkers should have every assurance that their personal health information will remain private and protected,” said James in a statement. “EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals.”  

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article