New York State Fines EyeMed $4.5 Million for Phishing Attack and 2.1M-Record Data Breach
The New York State Department of Financial Services (DFS) has agreed to settle an investigation of EyeMed Vision Care (EyeMed) into potential violations of the DFS Cybersecurity Regulation for $4.5 million.
EyeMed is an Ohio-based licensed health insurance company, which collects and stores sensitive consumer information as part of its business practices. EyeMed Vision Care was investigated by the DFS after EyeMed disclosed it had been the victim of a phishing attack and data breach that was discovered on July 1, 2020. An employee responded to a phishing email and disclosed credentials to a shared EyeMed mailbox that contained more than 6 years’ worth of non-public consumer information, including the information of minors, related to vision benefits enrollment and coverage. After accessing the account, malicious actors used it to send more than 2,000 phishing emails to EyeMed clients to trick them into disclosing their EyeMed login credentials. EyeMed was alerted to the breached email account when its clients complained about receiving phishing emails from EyeMed.
EyeMed’s investigation confirmed the email account had been accessed by unauthorized individuals on June 24, 2020, and continued until July 1, 2020, when the breach was discovered and access to the email account was terminated. The email account contained the information of approximately 2.1 million individuals, including the data of 98,632 New York residents.
The DFS determined that EyeMed was in violation of the DFS Cybersecurity Regulation (23 NYCRR Part 500) due to the failure to implement multi-factor authentication for its email environment. EyeMed had also failed to limit user access privileges, as nine employees shared login credentials for the affected email account. Further, EyeMed had failed to implement sufficient data retention limits on information in the email account nor had the company implemented sufficient data disposal processes. If multifactor authentication had been implemented, the data breach could have been prevented, and proper data retention and disposal practices would have lessened the severity of the data breach if it was not possible to prevent it.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Further investigation revealed EyeMed had not conducted a comprehensive risk assessment, which is one of the core requirements of the DFS cybersecurity regulation. If a risk assessment had been conducted, it would have highlighted the shared login credentials, lack of multifactor authentication, and lack of data retention/disposal policies. Those risks could then have been managed and reduced to a low and acceptable level. DFS also determined that EyeMed’s cybersecurity certifications for the calendar years 2018 through 2021 were improper.
In addition to paying the financial penalty, EyeMed has agreed to conduct a comprehensive cybersecurity risk assessment and develop a detailed action plan that describes how the risks identified in the assessment will be addressed. The risk assessment and action plan must be reviewed and approved by the DFS.
“It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” said New York State Superintendent of Financial Services, Adrienne A. Harris. “This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.”
The phishing attack and data breach were also investigated by the Office of the New York Attorney General, which arrived at similar conclusions and fined EyeMed $600,000 in January 2022.
