New York Attorney General Letitia James today announced a $600,000 agreement with EyeMed that resolves a 2020 data breach that compromised the personal information of approximately 2.1 million consumers nationwide, including 98,632 in New York state. EyeMed — which provides vision benefits to members of vision plans offered by both licensed underwriters and employers — experienced a data breach in which attackers gained access to an EyeMed email account with sensitive customer information. The compromised information included consumers’ names, mailing addresses, Social Security numbers, identification numbers for health and vision insurance accounts, medical diagnoses and conditions, and medical treatment information. The intrusion permitted the attacker access to emails and attachments with sensitive customer information dating back six years prior to the attack.
“New Yorkers should have every assurance that their personal health information will remain private and protected,” said Attorney General James. “EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”
Background on the Attack
In June 2020, attacker(s) gained access to an EyeMed email account, which was used by EyeMed clients to provide sensitive consumer data in connection with vision benefits enrollment and coverage. The intrusion, which lasted approximately a week, granted the attacker the ability to view emails and attachments dating back six years, including consumers’ names, addresses, Social Security numbers, and insurance account numbers.
In July 2020, the attacker sent approximately 2,000 phishing emails from the compromised email account to EyeMed clients, seeking login credentials for their accounts. EyeMed’s IT department noticed the phishing emails and also received inquiries from clients about these emails. EyeMed then blocked the attacker’s access to its system and began investigating the intrusion.
In September 2020, the company began notifying affected consumers whose personal information was compromised during the breach. With the notification, the company offered affected customers with identity theft protection services. The Office of the Attorney General determined that, at the time of the attack, EyeMed had failed to implement multifactor authentication (MFA) for the affected email account, despite the fact that the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information. Additionally, EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information. The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents.
In total, the breach affected approximately 2.1 million U.S. residents, including 98,632 in New York.
Terms of the Agreement
As part of the agreement, EyeMed is required to enact a series of measures to protect consumers’ personal information from cyberattacks in the future, including:
· Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regularly reporting to the company's leadership any security risks;
· Maintaining reasonable account management and authentication, including requiring the use of multi-factor authentication for all administrative or remote access accounts, and reviewing such safeguards annually;
· Encrypting sensitive consumer information that it collects, stores, transmits and/or maintains;
· Conducting a reasonable penetration testing program designed to identify, assess, and remediate security vulnerabilities within the EyeMed network;
· Implementing and maintaining appropriate logging and monitoring of network activity that are accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged; and
· Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.
EyeMed has also agreed to pay the state of New York $600,000 in penalties.