New Jersey, Oregon, Pennsylvania, and Florida reached a $2.5 million settlement with EyeMed Vision Care to resolve claims that “deficiencies” in its security program caused a 2020 data breach tied to over 2.1 million patients nationwide.
EyeMed is owned by eyecare giant Luxottica, which provides vision benefits for health insurance companies.
In total, the states’ audit found six security program flaws, including failure to ensure data protections, lack of an accurate and thorough risk assessment, inadequate password policies, ineffective email security measures, and failure to implement effective user verification measures.
This is the third settlement reached between EyeMed and state attorneys general in the last 18 months. New York issued a $600,000 fine with the company in January 2022, after an investigation found serious gaps in its security measures. And in October, New York again slapped EyeMed with a $4.5 million fine after determining those gaps contributed to the breach.
The investigations were spurred by a 2020 breach notice from EyeMed, which revealed a threat actor gained access to an employee email account and sent over 2,000 phishing emails to the account’s contact list on July 1, 2020. The actor had control of the account for a week.
“The investigation confirmed that the attacker had the ability to exfiltrate the documents and information within the EyeMed email account during the time that the attacker was accessing the account,” according to the multi-state consent order. “Investigators were unable to rule out that such exfiltration had occurred.”
The impacted account contained data tied to current and former vision benefits’ members, including contact details, dates of birth, vision insurance account and identification numbers, driver’s licenses and other government identification numbers, health insurance account and identification numbers, Medicaid or Medicare numbers, and birth or marriage certificates.
Some patients also had partial or full Social Security Numbers and/or financial data compromised during the hack, in addition to medical diagnoses, health conditions, treatments, and/or passport numbers. Approximately six years of personal and medical data was exposed.
The latest multi-state audit into the breach echoed the findings of New York’s report, confirming that EyeMed’s inadequate security program contributed to the incident and violated state consumer and personal information protection laws, as well as the Health Insurance Portability and Accountability Act.
Specifically, “several EyeMed employees were sharing a single password to an email account used by EyeMed employees to communicate sensitive consumer information,” such as details on plan members’ vision benefits enrollment and coverage, according to the findings.
The audit also found that while EyeMed had started to roll-out multi-factor authentication prior to the email hack, it was not fully implemented at the time of the incident. And although it had a policy barring the shared use of email accounts, nine employees were able to access the account by sharing the same username and password.
What’s more, due to licensing limitations on its email account, the company was not able to “determine if email items were accessed, when email items were replied to or forwarded beyond 90 days; or identify when a user searched and what the user searched for,” the order noted.
“New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” New Jersey Attorney General Matthew Platkin said in a statement.
“This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data,” he added.
In addition to the monetary settlement, EyeMed is required to make significant changes to its privacy and security program that will ensure compliance with consumer protection laws and HIPAA. The requirements include, “not misrepresenting the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information.”
EyeMed must continue to employ a leader responsible for the security plan’s implementation, maintenance, and monitoring. Notably, HIPAA requires all covered entities to employ a security officer in charge of the “creation and execution of policies and procedures that ensure the security of electronic Protected Health Information.”
The company is also mandated to report “all data breaches immediately,” maintain “reasonable policies and procedures” for data collection, use, and retention, in addition to leveraging “appropriate” access controls on accounts that receive and transmit health data, “including, but not limited to, instituting appropriate authentication measures,” the consent order stated.