EyeMed NY AG Settlement

In January of 2022, EyeMed Vision Care LLC, a New York vision benefits provider, settled an action brought by the New York State Attorney General against it for failing to implement adequate data security measures, including multifactor authentication, password management, and logging of email accounts. 

These deficiencies resulted in a 2020 email data breach during which hackers accessed an EyeCare email account containing a treasure trove of patient health information. The $600,000 settlement of the action, which was brought under the New York SHIELD Act, also requires EyeMed to implement a number of security improvements. Readers can eyeball details of the settlement below.

Email Data Breach of 2.1 Million Individuals’ Health Information Not Eyed for a Week

EyeMed is a vision benefits provider based in Macon, Ohio. EyeMed offers its services to individuals in all 50 states. A substantial number of EyeMed’s patients are New York residents. In late June of 2020, a group of unknown attackers hacked into an EyeMed email account used by some EyeMed clients to provide sensitive consumer data related to vision benefits enrollment and coverage. The attacker then spread the news by sending about 2,000 phishing emails from the email account to EyeMed clients. The phishing messages claimed to be a request for a legitimate business proposal. In fact, the messages were sent to keelhaul unsuspecting clients into providing sensitive personal information.

EyeMed did not realize that it had been duped into acting as bait until July 1, when its IT department observed transmission of the phishing emails from the account and then received inquiries from clients about the suspicious-looking messages. EyeMed then blocked the attacker’s access to the email account and began an investigation of the incident. The investigation of the email data breach confirmed that the attacker had the ability, for an entire week, to withdraw documents containing the sensitive information. 

Let’s Simplify Compliance

Protect your business from breaches and fines. Become HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

Email Data Breach Comes Under the Microscope of the New York Attorney General

In late September of 2020, EyeMed began to notify affected individuals about the email data breach. Nearly 99,000 of the individuals affected by the email data breach were New York residents. Under the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, companies who collect information on New York residents must comply with data security requirements. These companies include companies that operate outside of New York but own or license New York residents’ information. EyeMed fits within the coverage of the New York law hook, line, and sinker, and as such, is subject to that law’s notification requirements. 

Under these requirements, notification to affected residents must include not only contact information for the person or business making the notification but must also include the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information. One of these agencies is the New York State Attorney General’s Office, Bureau of Internet and Technology. As such, it was a bait accompli that word of the phishing expedition would reach the New York AG’s desk. When it did, the AG commenced an investigation of the email data breach.

The AG’s investigation concluded that EyeMed violated the security requirements of the SHIELD Act by: