4 State AGs Punch EyeMed With $2.5 M Fine for 2020 BreachNJ, Pennsylvania, Oregon, Florida Settlements Follow Earlier Fines by NY Regulators
The attorneys general of four states levied a $2.5 million fine on vision care provider EyeMed to settle an investigation into a 2020 email phishing incident that exposed the personal data of 2.1 million individuals in the United States.
The settlement between EyeMed and New Jersey, Florida, Pennsylvania and Oregon comes on the heels of $5.1 million in penalties that the company agreed late last year to pay to New York regulators for the same breach (see: NY Smacks EyeMed Vision With Another Breach Fine).
The latest state enforcement actions settle EyeMed's potential HIPAA infringement as well as its violation of state consumer protection laws, said New Jersey Attorney General Matthew Platkin, who co-led the litigation.
The 2020 phishing incident affected 90,000 people in Florida, 52,000 in New Jersey, 61,000 in Pennsylvania and 11,000 in Oregon.
Under the agreement with EyeMed, New Jersey, Florida and Oregon will receive a settlement payment of $750,000. Pennsylvania will receive $250,000, a spokesman in the New Jersey attorney general's office told Information Security Media Group.
In addition to the financial payments to the four states, EyeMed, an Ohio-based subsidiary of Italian eyewear conglomerate Luxottica Group PIVA, agreed to implement a list of measures to improve its data privacy and security.
That includes multifactor authentication, comprehensive monitoring and analysis to detect, analyze and escalate security incidents, and maintaining email protection and filtering solutions for all EyeMed’s email accounts.
“This is more than just a monetary settlement. It's about changing companies' behavior to better protect crucial patient data," Platkin said in a statement.
The settlement states that in June 2020, an unauthorized user gained access to an EyeMed email account, exposing about six years of consumer information, including Social Security numbers, names, addresses, birthdates, phone numbers, email addresses, medical diagnoses and treatment information.
Among other security lapses, several EyeMed employees shared a single password to an email account used to communicate sensitive consumer data, including vision benefits enrollment and coverage information despite a company policy prohibiting shared use of email accounts.
EyeMed system administrators detected the incident after the attacker sent approximately 2,000 phishing emails from the enrollment account asking for customer login credentials.
At the time of the incident, EyeMed was rolling out multifactor authentication after it had migrated to the Microsoft Office 365 email platform in 2018, but it didn't complete the rollout until September 2020.
Prior to the breach, EyeMed had engaged third parties to conduct risk assessment, but those assessments did not evaluate the company's email system.
Under the settlement, EyeMed must provide affected individuals in the four states with two years of credit and identity monitoring.
EyeMed did not immediately respond to ISMG's request for comment on the settlement.