Hold onto your glasses because EyeMed Vision Care has just reached its third settlement over a 2020 data breach that impacted 2.1 million individuals! The vision insurer has agreed to pay a whopping $2.5 million settlement with the states of New Jersey, Oregon, and Florida following an investigation into EyeMed’s data security program, which was found to be lacking and contributed to the breach. Yikes!
So, what happened exactly? In June 2020, an unauthorized user gained access to an EyeMed email account and exposed six years worth of personal information for millions of people. This breach was no joke, from names and Social Security numbers to addresses and even medical diagnoses. To make matters worse, the threat actor then sent approximately 2,000 phishing emails from the compromised account. Double yikes!
Behind the Scenes of EyeMed Breach
This isn’t the first time EyeMed has faced consequences for their poor security protocols either. In January 2022, they settled with New York Attorney General Letitia James for $600,000 and had to implement updated security measures. Then in October 2022, they paid a $4.5 million penalty to New York State Department of Financial Services for violations stemming from the same breach.
New Jersey Attorney General Matthew J. Platkin stated, “This is more than just a monetary settlement; it’s about changing companies’ behavior to protect crucial patient data better.”
And we couldn’t agree more! In addition to paying out millions in settlement fees, EyeMed must also develop and maintain a written information security program in compliance with state consumer protection laws and HIPAA regulations. They will also report all future data breaches immediately and continue employing an officer to oversee their improved information security program.
Cari Fais, Acting Director of the Division of Consumer Affairs added, “Companies have a duty to take meaningful steps to safeguard protected health and personal information and avoid unauthorized disclosures.” We couldn’t have said it better ourselves. Let’s hope other companies take note – patients can’t afford any more breaches like this one.
How EyeMed Could Have Prevented These Breaches
One tool that could have prevented this costly mistake for EyeMed is Compliancy Group’s software, “The Guard.” With its comprehensive compliance management system, Compliancy Group helps eye care and healthcare organizations meet all HIPAA regulations and safeguard their patients’ sensitive data.
By using The Guard, EyeMed could have identified any potential vulnerabilities in their systems and taken proactive steps to address them before any breaches occurred.
Data breaches not only put individuals at risk but can also result in significant financial consequences for businesses. In addition to legal fees and settlements such as what EyeMed faced, companies may also suffer damage to their reputation and loss of trust from patients. It is crucial that businesses take cybersecurity seriously and implement effective measures to protect against potential threats.
Compliancy Group’s software provides ongoing support and training to help businesses stay up-to-date with changing regulations and best practices for cybersecurity. This ensures that companies like EyeMed can comply with HIPAA regulations while reducing the risk of data breaches and avoiding expensive fines.