In January of 2022, EyeMed Vision Care LLC, a New York vision benefits provider, settled an action brought by the New York State Attorney General against it for failing to implement adequate data security measures, including multifactor authentication, password management, and logging of email accounts.
These deficiencies resulted in a 2020 email data breach during which hackers accessed an EyeCare email account containing a treasure trove of patient health information. The $600,000 settlement of the action, which was brought under the New York SHIELD Act, also requires EyeMed to implement a number of security improvements. Readers can eyeball details of the settlement below.
Email Data Breach of 2.1 Million Individuals’ Health Information Not Eyed for a Week
EyeMed is a vision benefits provider based in Macon, Ohio. EyeMed offers its services to individuals in all 50 states. A substantial number of EyeMed’s patients are New York residents. In late June of 2020, a group of unknown attackers hacked into an EyeMed email account used by some EyeMed clients to provide sensitive consumer data related to vision benefits enrollment and coverage. The attacker then spread the news by sending about 2,000 phishing emails from the email account to EyeMed clients. The phishing messages claimed to be a request for a legitimate business proposal. In fact, the messages were sent to keelhaul unsuspecting clients into providing sensitive personal information.
EyeMed did not realize that it had been duped into acting as bait until July 1, when its IT department observed transmission of the phishing emails from the account and then received inquiries from clients about the suspicious-looking messages. EyeMed then blocked the attacker’s access to the email account and began an investigation of the incident. The investigation of the email data breach confirmed that the attacker had the ability, for an entire week, to withdraw documents containing the sensitive information.
Email Data Breach Comes Under the Microscope of the New York Attorney General
In late September of 2020, EyeMed began to notify affected individuals about the email data breach. Nearly 99,000 of the individuals affected by the email data breach were New York residents. Under the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, companies who collect information on New York residents must comply with data security requirements. These companies include companies that operate outside of New York but own or license New York residents’ information. EyeMed fits within the coverage of the New York law hook, line, and sinker, and as such, is subject to that law’s notification requirements.
Under these requirements, notification to affected residents must include not only contact information for the person or business making the notification but must also include the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information. One of these agencies is the New York State Attorney General’s Office, Bureau of Internet and Technology. As such, it was a bait accompli that word of the phishing expedition would reach the New York AG’s desk. When it did, the AG commenced an investigation of the email data breach.
The AG’s investigation concluded that EyeMed violated the security requirements of the SHIELD Act by:
- Failing to implement multifactor authentication for the affected email account;
- Failing to use sufficient password management requirements for the email account; and
- Failing to maintain adequate logging and monitoring of its email accounts.
Is your organization secure? Find out now with our HIPAA compliance checklist.
New York AG Eyeing Compliance With Written Information Security Program
EyeMed, not wishing to be blind to its obligations under the SHIELD Act, entered into a $600,000 settlement agreement with the AG’s office. Under the terms of the settlement, EyeMed is required to implement a number of security measures.
These measures include:
- Adoption of administrative, technical, and physical safeguards, appropriate to the size, nature, and scope of EyeMed’s operations, and appropriate to the sensitivity of the personal information Eye Med collects, stores, transmits, and/or maintains.
- Development of password policies and procedures requiring the use of strong passwords.
- Encryption of what the SHIELD Act defines as private information of consumers.
- A penetration testing program designed to identify, assess, and remediate security vulnerabilities.
- An appropriate system designed to collect and monitor network activity and appropriate policies and procedures designed to properly configure these tools to report suspicious activity.
- Deletion of customer personal information when there is no legal or business purpose to maintain it.
Companies that fail to safeguard consumer and patient personal information have become quite a catch – not only for the net of the New York Attorney General, but for Attorneys General in a number of other states, including New Jersey, Texas, and Maine, to name a few.
Get out of the path of the shark-infested legal waters – find out how Compliancy Group can work with you to develop an effective security program.