US healthcare company EyeMed has reached a $600,000 settlement following a data breach that compromised the records of 1.2 million people.
EyeMed is a vision network benefits provider which offers discounted rates to its members.
It has agreed to pay New York State $600,000 in penalties as well as to adhere to a list of security practices including encrypting sensitive data and conducting penetration testing.
The security incident happened in June 2020 when an unauthorized actor gained access to an EyeMed email account.
During a week-long intrusion, the attacker had access to, and was able to view, emails and attachments dating back six years prior, an investigation found (PDF).
The emails contained one or more of the following consumer data elements: names; contact
information including addresses; dates of birth; account information including identification numbers for health insurance accounts and vision insurance accounts; full or partial Social Security Numbers; Medicaid, drivers’ license or other government ID numbers; birth or marriage certificates; and medical diagnoses and treatment information.
Timeline
A month after the initial intrusion, in July 2020, the attacker sent approximately 2,000 phishing emails from the compromised email account to EyeMed clients, seeking login credentials for their accounts.
EyeMed blocked the attacker’s access after noticing the phishing emails and receiving enquiries from clients about these emails.
In September 2020, the company began notifying affected consumers whose personal information was compromised.
Of the 1.2 million individuals affected, 98,632 were from New York. An investigation by New York attorney general Letitia James highlighted a number of security shortcomings that were present at the time of the incident.
A report from the New York attorney general reads: “EyeMed failed to implement multifactor authentication (MFA) for the affected email account, despite the fact that the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information.
“EyeMed was aware of the importance of MFA to reasonable data protections, having required MFA for years before the attack for users to access EyeMed’s VPN.”
The company also failed to employ “sufficient password management” protocols. It set a minimum password length of only eight characters for the affected email account, said the report, while the password that the attacker used to gain access to the account was “insufficiently complex given the sensitivity of the information”.
Furthermore, EyeMed did not adequately log and monitor its accounts and should not have retained the data for more than six years, said the attorney general.
Private and protected
“New Yorkers should have every assurance that their personal health information will remain private and protected,” said New York attorney general Letitia James.
“EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest.
“My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”