BUFFALO, N.Y. — New York State Attorney General Letitia James announced Monday an agreement with EyeMed that resolved a 2020 data breach.
The data breach affected 2.1 million members nationwide and more than 98,000 in New York State.
Investigators say attackers were able to gain access to an EyeMed email account in June 2020. That email account was used by EyeMed clients to provide sensitive information in connection to vision benefits, enrollment and coverage. Officials say the breach lasted about a week and allowed the attacker to view emails and attachments dating back six years.
The information in those emails included patient names, addresses, social security numbers and insurance account information.
In July 2020, investigators say the attacker sent around 2,000 phishing emails from that compromised email account to EyeMed clients seeking their login information. The emails were discovered by their IT department, as well as consumers who contacted EyeMed about the emails. EyeMed was then able to block the attacker's access to their system and investigate.
Clients that were affected were notified in September 2020 of the data breach. Customers were then offered with identity theft protection services.
The Attorney General's office says EyeMed failed to implement multi-factor authentication and failed to implement a sufficient password management requirements for enrollment.
“New Yorkers should have every assurance that their personal health information will remain private and protected,” said Attorney General James. “EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”
As part of the agreement, EyeMed has to pay New York state $600,000 in penalties, as well as taking measures to protect consumers from cyber attacks, including:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regularly reporting to the company's leadership any security risks
- Maintaining reasonable account management and authentication, including requiring the use of multi-factor authentication for all administrative or remote access accounts, and reviewing such safeguards annually
- Encrypting sensitive consumer information that it collects, stores, transmits and/or maintains
- Conducting a reasonable penetration testing program designed to identify, assess, and remediate security vulnerabilities within the EyeMed network
- Implementing and maintaining appropriate logging and monitoring of network activity that are accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged
- Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.