NY Fines Vision Benefits Firm $600,000 for 2020 Breach – GovInfoSecurity.com

3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Cybercrime
Benefits provider EyeMed Vision Care LLC has agreed to pay $600,000 and implement a long list of data security improvements as part of a settlement with the New York attorney general’s office following a 2020 email breach that affected 2.1 million individuals, including nearly 99,000 New Yorkers.
See Also: Zero Trust Webinar Tomorrow: Research Insights Exploring the Actionable, Holistic & Integrative Approach to Security
In a statement released Monday, the New York state attorney general’s office said attackers in the 2020 data breach accessed an email account of Macon, Ohio-based EyeMed containing sensitive customer information, names, mailing addresses, Social Security numbers, identification numbers for health and vision insurance accounts, medical diagnoses and conditions, and medical treatment information.
While the intrusion itself lasted about a week, it permitted the attacker access to emails and attachments containing sensitive customer information dating back six years prior to the attack, the statement says.
“EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” New York Attorney General Letitia James says in the statement.
“Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”
A settlement document in the case alleges that New York’s investigation into the breach found that EyeMed failed to comply with various New York state requirements in protecting consumer information.
According to the settlement document, on or about June 24, 2020, unknown attackers gained access to an EyeMed email account that was used by some EyeMed Clients to provide sensitive consumer data in connection with vision benefits enrollment and coverage. The attacker entered login credentials via a web browser and mail client, the document says.
“EyeMed did not detect the unauthorized access to the email account at the time it occurred. From June 24 through July 1, 2020, the attacker accessed the email account from a number of IP addresses, some of which were outside of the United States,” the document says.
On July 1, 2020, the attacker sent approximately 2,000 phishing emails from the enrollment email account to EyeMed clients. “The phishing messages purported to be a request for proposal to deceive recipients into providing credentials to the attacker. Later the same day, EyeMed’s IT department observed the transmission of these phishing emails from the email account, and received inquiries from clients about the suspicious emails,” the document says.
EyeMed blocked the attacker’s access to the email account, and EyeMed’s internal IT team began an investigation into the scope of the incident, which was followed by a forensic investigation conducted by external cybersecurity experts.
“The investigation confirmed that the attacker had the ability to exfiltrate the documents and information within the affected email account during the time that the attacker was accessing the account. Investigators were unable to rule out that such exfiltration had occurred.”
On Sept. 28, 2020, EyeMed began to notify affected individuals and regulators about the breach.
The New York state investigation into the breach determined that, at the time of the attack, EyeMed had failed to implement multifactor authentication for the affected email account, despite that the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information, the attorney general’s statement says.
EyeMed also failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information, the statement says.
The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents, according to the document.
In addition to paying New York $600,000 in penalties, the settlement calls for EyeMed to implement a list of security improvements, including:
EyeMed did not immediately respond to Information Security Media Group’s request for comment.
As of Monday, the Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows 714 major health data breaches reported in 2021 affecting more than 45.7 million individuals.
Of those, 200 incidents affecting nearly 6 million individuals were reported as breaches involving email.
With so many large data breaches tied to phishing, entities need to take into consideration steps to limit the potential exposure of vast volumes of sensitive data contained in the email accounts of their employees, says privacy attorney Iliana Peters of the law firm Polsinelli.
“While many state and federal regulations may not specifically address email or other systems’ retention requirements – although some, such as Colorado, arguably do – industry best practices dictate that retention for many duplicate documents, including what is in email, should not be for any longer than necessary for a specific business purpose,” Peters says.
“In other words, regulated entities should review whether or not they actually need the information in their email systems, in favor of purging or archiving that data, so it is not at risk to hackers.”
The settlement between New York regulators and EyeMed is the latest enforcement action by a state attorney related to a major health data breach.
For instance, last year, New Jersey’s attorney general announced several settlements with entities related to health data breaches.
They include a $425,000 settlement with cancer treatment center Regional Cancer Care Associates LLC and two of its affiliates related to two 2019 data breaches that affected 105,200 consumers in several states, including more than 80,000 New Jersey residents. That settlement required RCCA to bolster its data security and privacy practices.
Some experts say they think more state attorney general actions are likely this year in other data breach cases.
“This recent settlement by the state attorney general in New York gives the regulated community a good idea of what should be expected now and in the future from the state attorneys general in all the states, as all of the state AGs appear to have increased their investigation of security incidents reported to them, involving residents of their states,” Peters says.
Many regulated entities do not understand that they must comply with the state regulations if they have data for residents of that state, not just if their business is located in that state, Peters says.
“Also, many state regulations impose requirements in addition to, or above and beyond, those of HIPAA. So, the patchwork of regulations with which many of these regulated entities must comply is quite extensive.”
The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions for violations of the HIPAA privacy and security rules.
While some recent enforcement actions by state attorneys general in health data breach cases – such as the New Jersey settlement with RCCA – cited allegations of HIPAA violations in addition to state law violations, the settlement announced Monday between EyeMed and the New York attorney general only cited violations of state laws.
“While under the HITECH Act, state attorneys general can pursue HIPAA violations, there is no requirement to do so,” says regulatory attorney Rachel Rose.
“In this instance, because emails were compromised, there may have been more personally identifiable information than protected health information involved. Even though PHI has components of PII, it was a call on the part of the attorney general to solely use the state law route.”
Executive Editor, HealthcareInfoSecurity, ISMG
McGee is executive editor of Information Security Media Group’s HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek’s healthcare IT media site.

Covering topics in risk management, compliance, fraud, and information security.
By submitting this form you agree to our Privacy & GDPR Statement

3rd Party Risk Management
Anti-Phishing, DMARC
Business Continuity Management / Disaster Recovery
3rd Party Risk Management
National Rural Electric Cooperative Association (NRECA) – Arlington, VA
Zachary Piper Solutions – Quantico, VA
University of Texas at Austin – Austin, TX
Continue »
90 minutes · Premium OnDemand 
From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.
Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:
Sr. Computer Scientist & Information Security Researcher, National Institute of Standards and Technology (NIST)
Was added to your briefcase
NY Fines Vision Benefits Firm $600,000 for 2020 Breach
NY Fines Vision Benefits Firm $600,000 for 2020 Breach
Sign in now
Need help registering?
Contact support
Complete your profile and stay up to date
Contact Support
Create an ISMG account now
Create an ISMG account now
Need help registering?
Contact support
Sign in now
Need help registering?
Contact support
Sign in now
Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.