New Jersey, Oregon, Pennsylvania and Florida have reached a $2.5 million settlement with EyeMed Vision Care to resolve claims that deficiencies in its security program led to one data breach in 2020 linked to more than 2.1 million patients nationwide.
EyeMed is owned by eye care giant Luxottica, which provides vision benefits to health insurance companies.
In total, the state audit found six security program flaws, including failure to ensure data protection, lack of accurate and thorough risk assessment, inadequate password policies, email security measures ineffective and the inability to implement effective user verification measures.
This is the third agreement reached between EyeMed and the attorneys general in the last 18 months. New York issued a $600,000 fine with the company in January 2022, after an investigation found serious flaws in its security measures. And in October, New York slapped EyeMed again with a $4.5 million fine after determining that those lapses contributed to the violation.
The investigation was spurred by a 2020 breach notice from EyeMed, which revealed that a threat actor gained access to an employee’s email account and sent over 2,000 phishing emails to all ‘contact list of the account on July 1, 2020. The actor had control of the account for a week.
The investigation confirmed that the attacker had the ability to exfiltrate the documents and information within the EyeMed email account during the time the attacker was accessing the account, according to the multi-consent order -state. Investigators were unable to rule out that such an exfiltration had occurred.
The affected account contained data relating to current and former members of vision benefits, including contact details, dates of birth, vision insurance account and identification numbers, driver’s licenses and other government identification numbers, health insurance and identification numbers, Medicaid or Medicare numbers, and birth or marriage certificates.
Some patients also have partial or full Social Security numbers and/or financial data compromised during the hack, as well as medical diagnoses, health conditions, treatments and/or passport numbers. About six years of personal and medical data were exposed.
The latest multi-state breach audit echoed the findings of the New York report, confirming that EyeMed’s inadequate security program contributed to the incident and violated state consumer and personal information protection laws, as well as the Health Insurance Portability and Accountability Act.
Specifically, according to the findings, several EyeMed employees shared a single password for an email account used by EyeMed employees to communicate sensitive consumer information, such as membership details and coverage of plan member vision benefits. .
The audit also found that while EyeMed had begun implementing multi-factor authentication prior to the email hack, it had not been fully implemented at the time of the incident. And although it had a policy prohibiting the shared use of email accounts, nine employees were able to log into the account sharing the same username and password.
Also, due to licensing limits on their email account, the company was unable to determine if email items were accessed, when email items were replied to or forwarded beyond the 90 days; o identify when a user searched and what he searched, the order noted.
New Jersey residents trusted EyeMed with their vision care and personal information only to have that trust broken by the company’s poor security measures, New Jersey Attorney General Matthew Platkin said in a statement.
This is more than just a monetary deal, it’s about changing the behavior of companies to better protect crucial patient data, he added.
In addition to the monetary settlement, EyeMed is required to make significant changes to its privacy and security program that will ensure compliance with consumer protection and HIPAA laws. Requirements include, do not misrepresent the extent to which it maintains and protects the privacy, security or confidentiality of consumer information.
EyeMed must continue to hire a leader responsible for implementing, maintaining and monitoring security plans. Specifically, HIPAA requires all affected entities to hire a security officer charged with creating and executing policies and procedures that ensure the security of electronic protected health information.
The company is also required to promptly report all data breaches, maintain reasonable policies and procedures for data collection, use, and retention, as well as leverage appropriate access controls on accounts that receive and transmit health data, including, but not limited to, set up adequate authentication measures, the order of consent declared.
#EyeMed #fined #million #security #lapses #spur #breach