EyeMed Vision Care will pay a whopping $4.5 million penalty to New York State for violating New York’s Department of Financial Services (DFS) Cybersecurity Regulation. This payment is on top of a $600,000 settlement EyeMed paid to the New York attorney general in January 2022 resulting from the same 2020 healthcare data breach affecting 2.1 million individuals, including 98,632 New York residents.
EyeMed, based in Cincinnati, Ohio is a vision care insurer serving customers like Lenscrafters, PearleVision and Target Optical, among others, across the country. Its parent company is Luxottica Group SpA, an Italian eyewear company.
Eye care providers have had a string of cybersecurity incidents and enforcement issues over the past two years.
Phishing Still Works
This EyeMed data breach began on June 24, 2020 with a phishing attack that impacted 2.1 million eye vision patients nationwide. Over the course of a week, a criminal hacker was able to access a shared EyeMed email inbox containing consumer information, including names, contact information, dates of birth, account information for health insurance accounts, Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers, birth/marriage certificates, diagnoses and medical treatment information. Much of the information dated back six years.
On July 1, 2020, the attacker sent approximately 2,000 phishing emails from the enrollment email account to EyeMed clients. The phishing messages pretended to be a request for proposal to deceive recipients into providing credentials to the attacker. EyeMed IT staff noticed the emails that day and heard from clients asking about them, and were then were able to block access and stop the attack.
States Enforce State Privacy and Cybersecurity Laws
In the earlier investigation, the New York attorney general found that, at the time of the attack, EyeMed had failed to implement multifactor authentication (MFA) and failed to adequately implement sufficient password management requirements for the enrollment email account. Both failures violate the New York health privacy and consumer protection laws.
The later DFS investigation looked at whether EyeMed violated New York’s cybersecurity regulation which governs all financial and insurance service companies operating in New York. The DFS announcement noted that in addition to a lack of multifactor authentication,
“…EyeMed failed to limit user access privileges by allowing nine employees to share login credentials to the affected email mailbox and failed to implement sufficient data retention and disposal processes, resulting in over six years’ worth of consumer data being accessible through the affected email mailbox.”
Note these two investigations were not conducted by the Office for Civil Rights (OCR) under HIPAA. OCR would have investigated since they investigate all breaches that affect 500 or more. The failures cited in both investigations would also have been clear violations of the HIPAA Security Rule. The outcome of OCR’s investigation is unknown – it may have been resolved without a public announcement.
State privacy laws are similar to HIPAA and attorneys general will investigate especially when a substantial number of state residents are affected. In the EyeMed case, almost 100,000 New York residents were harmed.
Follow the HIPAA Security Rule
HIPAA is a blueprint for preventing cyber crime. The safest bet is to follow federal laws regarding privacy and security of protected health information because state privacy laws are so similar. It is important to check whether your state law is more stringent than HIPAA, because if so, the state law will apply. Otherwise, HIPAA policies and procedures are the guidepost.
EyeMed’s failures could have been prevented with basic HIPAA 101 compliance. Don’t let this happen to you. Get the best protection, the most up-to-date policies, and answers when you need them at The HIPAA E-Tool®.