eyemed settlement

EyeMed Vision Care, a company based in Ohio that offers vision benefits, has agreed to pay $5,000,000 to settle a class action lawsuit related to a healthcare data breach. This recent settlement marks the final resolution in a series of investigations and settlements totaling over $12.6 million.

The issues began five years ago with a phishing email that led to a data breach.

Since 2020, EyeMed has faced investigations and paid settlements over the same data breach in five states: New York, New Jersey, Florida, Pennsylvania, and Oregon. Two investigations by the New York state resulted in payments totaling $5.1 million, while the other four states’ attorneys general consolidated their investigations, resulting in a $2.5 million fine.

History of EyeMed Enforcement Actions

The three other enforcement actions against EyeMed for the same 2020 data breach are the following:

  • January 2022: New York Attorney General: EyeMed agreed to a $600,000 fine and a corrective action plan to resolve alleged violations of the New York General Business Law (SHIELD Act). The investigation cited the failure to implement multi-factor authentication (MFA), poor password management, and inadequate logging and data retention.
  •  October 2022: New York State Department of Financial Services (DFS): The DFS fined EyeMed $4.5 million for violations of its Cybersecurity Regulation. This enforcement action specifically highlighted the failure to implement MFA, poor user access privileges (allowing nine employees to share login credentials), and insufficient data retention and disposal processes.
  • May 2023: Multi-State Attorney Generals: EyeMed paid a $2.5 million fine to settle an investigation led by the Attorneys General of New Jersey, Florida, Pennsylvania, and Oregon. The investigation focused on potential HIPAA and state consumer protection law violations, citing the shared single password, failure to roll out MFA fully, and inadequate risk assessment.

The Class Action Lawsuit

The civil class action lawsuit was filed in Ohio federal district court in January 2021. The complaint in Tate, et al. v. EyeMed Vision Care, LLC, alleged negligence, breach of implied contract, and violations of various California state laws.

EyeMed has consistently denied wrongdoing or liability but stated it chose to settle to avoid the expense and uncertainty of ongoing litigation. The preliminary court approval for the settlement was granted in July 2025, with a final fairness hearing scheduled for January 7, 2026.

Phishing is the Most Common Entry Point for Hackers

The data breach incident began on or around June 24, 2020, when an EyeMed employee responded to a phishing email, compromising a shared email account used for enrollment processing. The cyber attacker had access to the account for about a week until it was detected on July 1, 2020, after the unauthorized user sent approximately 2,000 phishing emails from the compromised address to EyeMed clients.

The key vulnerability was a lack of sufficient security controls: the enrollment mailbox, shared by nine employees and protected by only a weak password, contained up to six years of sensitive customer information. Compromised data included names, contact details, dates of birth, Social Security numbers, vision insurance IDs, medical diagnoses, and treatment information.

Class Action Settlement Terms

Although $5,000,000 seems like a substantial settlement fund, the potential number of claimants in the case makes it unlikely that any one claimant will receive much.

The Size of the Class is Unknown

Court documents indicate that the settlement class numbers approximately 692,000, although other estimates revealed in earlier investigations are much higher.

While EyeMed initially reported to the U.S. Department of Health and Human Services (HHS) that the breach affected 1.47 million people, the later regulatory actions in five states placed the number of affected individuals at 2.1 million nationwide.

Potential Settlement Payments

Under the terms of the settlement, class members – defined as all U.S. residents notified by EyeMed of the incident – are eligible for financial compensation from one or more of the following three options:

  • Cash Payment: A prorated cash payment, estimated at around $50*, from the remaining fund after other costs.
  • Lost Time Compensation: Up to $100 for a maximum of four hours of lost time ($25/hour) spent addressing issues related to the breach.
  • Out-of-Pocket Expenses: Up to a maximum of $10,000 for documented, unreimbursed expenses resulting from the breach, including credit monitoring, fraud, and identity theft losses.

*Given the potential number of class members eligible for compensation, the actual pro rata cash payment for any one of them is likely to be much lower than $50.

As the settlement agreement notes:

“The Settlement Administrator will make pro rata settlement payments, which may increase or decrease the amount of the cash payment. No documentation or attestation is required.”

After attorneys’ fees (up to $1,666,666), attorney expenses (up to $50,000), settlement administration costs, and payments to three class representatives ($7,500 total), and deductions for lost time and out of pocket expense claims, the remaining fund is less than $3.25 million. While the total number of potential claimants is unknown, it ranges between about 692,000 and 2 million.

Not all will file claims, of course. However, if only 20% of eligible individuals file the cash payment claim, there will not be enough funding to pay everyone $50.

  • Using the more conservative number of claimants, or 692,000, 20% of them would each receive $23.
  • If the number of eligible claimants is 2,000,000, 20% of them would each receive $8.13.

The court authorized a settlement website to inform class members how to make a claim.

Mandated Cybersecurity Improvements

The settlement agreement also mandates EyeMed to improve its cybersecurity infrastructure and business practices, including:

  • Implementing and enhancing multifactor authentication (MFA) across its network.
  • Improving authorization requirements for network access.
  • Updating internal password reset and complexity requirements.
  • Conducting mandatory security awareness training for employees.
  • Shortening the data retention period for the compromised email box.
  • Engaging a third-party firm to conduct an updated HIPAA security risk assessment.

The HIPAA Security Rule is the Best Defense

All of the mandated improvements in the settlement are part of the Security Rule’s safeguards for keeping protected health information private and secure. If EyeMed had been carefully following the cybersecurity standards and conducting an annual HIPAA risk analysis, its liability would likely have been far less. A risk analysis and risk management plan strengthen data security by helping organizations identify and mitigate their risks.

Investigations and lawsuits are less likely to occur, but if they do, proactive compliance makes them much easier to defend.

Free HIPAA Checklist
What best describes you?