NY Fines Vision Benefits Firm $600,000 for 2020 BreachEmail Compromise Affected 2.1 Million Individuals Nationwide
Benefits provider EyeMed Vision Care LLC has agreed to pay $600,000 and implement a long list of data security improvements as part of a settlement with the New York attorney general's office following a 2020 email breach that affected 2.1 million individuals, including nearly 99,000 New Yorkers.
In a statement released Monday, the New York state attorney general's office said attackers in the 2020 data breach accessed an email account of Macon, Ohio-based EyeMed containing sensitive customer information, names, mailing addresses, Social Security numbers, identification numbers for health and vision insurance accounts, medical diagnoses and conditions, and medical treatment information.
While the intrusion itself lasted about a week, it permitted the attacker access to emails and attachments containing sensitive customer information dating back six years prior to the attack, the statement says.
“EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals," New York Attorney General Letitia James says in the statement.
"Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers' best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information."
A settlement document in the case alleges that New York's investigation into the breach found that EyeMed failed to comply with various New York state requirements in protecting consumer information.
EyeMed Breach Details
According to the settlement document, on or about June 24, 2020, unknown attackers gained access to an EyeMed email account that was used by some EyeMed Clients to provide sensitive consumer data in connection with vision benefits enrollment and coverage. The attacker entered login credentials via a web browser and mail client, the document says.
"EyeMed did not detect the unauthorized access to the email account at the time it occurred. From June 24 through July 1, 2020, the attacker accessed the email account from a number of IP addresses, some of which were outside of the United States," the document says.
On July 1, 2020, the attacker sent approximately 2,000 phishing emails from the enrollment email account to EyeMed clients. "The phishing messages purported to be a request for proposal to deceive recipients into providing credentials to the attacker. Later the same day, EyeMed’s IT department observed the transmission of these phishing emails from the email account, and received inquiries from clients about the suspicious emails," the document says.
EyeMed blocked the attacker’s access to the email account, and EyeMed’s internal IT team began an investigation into the scope of the incident, which was followed by a forensic investigation conducted by external cybersecurity experts.
"The investigation confirmed that the attacker had the ability to exfiltrate the documents and information within the affected email account during the time that the attacker was accessing the account. Investigators were unable to rule out that such exfiltration had occurred."
On Sept. 28, 2020, EyeMed began to notify affected individuals and regulators about the breach.
The New York state investigation into the breach determined that, at the time of the attack, EyeMed had failed to implement multifactor authentication for the affected email account, despite that the account was accessible via a web browser and contained a large volume of consumers' sensitive personal information, the attorney general's statement says.
EyeMed also failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information, the statement says.
The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents, according to the document.
In addition to paying New York $600,000 in penalties, the settlement calls for EyeMed to implement a list of security improvements, including:
- Maintaining a comprehensive information security program that includes regular updates and reporting to the company's leadership any security risks;
- Using multifactor authentication for all administrative or remote access accounts and reviewing such safeguards annually;
- Encrypting sensitive consumer information that it collects, stores, transmits and/or maintains;
- Conducting a penetration testing program;
- Applying and maintaining appropriate logging and monitoring of network activity that are accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged;
- Permanently deleting consumers' personal information when there is no reasonable business or legal purpose to retain it.
EyeMed did not immediately respond to Information Security Media Group's request for comment.
As of Monday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows 714 major health data breaches reported in 2021 affecting more than 45.7 million individuals.
Of those, 200 incidents affecting nearly 6 million individuals were reported as breaches involving email.
With so many large data breaches tied to phishing, entities need to take into consideration steps to limit the potential exposure of vast volumes of sensitive data contained in the email accounts of their employees, says privacy attorney Iliana Peters of the law firm Polsinelli.
"While many state and federal regulations may not specifically address email or other systems' retention requirements - although some, such as Colorado, arguably do - industry best practices dictate that retention for many duplicate documents, including what is in email, should not be for any longer than necessary for a specific business purpose," Peters says.
"In other words, regulated entities should review whether or not they actually need the information in their email systems, in favor of purging or archiving that data, so it is not at risk to hackers."
Other State AG Actions
The settlement between New York regulators and EyeMed is the latest enforcement action by a state attorney related to a major health data breach.
For instance, last year, New Jersey's attorney general announced several settlements with entities related to health data breaches.
They include a $425,000 settlement with cancer treatment center Regional Cancer Care Associates LLC and two of its affiliates related to two 2019 data breaches that affected 105,200 consumers in several states, including more than 80,000 New Jersey residents. That settlement required RCCA to bolster its data security and privacy practices.
Some experts say they think more state attorney general actions are likely this year in other data breach cases.
"This recent settlement by the state attorney general in New York gives the regulated community a good idea of what should be expected now and in the future from the state attorneys general in all the states, as all of the state AGs appear to have increased their investigation of security incidents reported to them, involving residents of their states," Peters says.
Many regulated entities do not understand that they must comply with the state regulations if they have data for residents of that state, not just if their business is located in that state, Peters says.
"Also, many state regulations impose requirements in addition to, or above and beyond, those of HIPAA. So, the patchwork of regulations with which many of these regulated entities must comply is quite extensive."
The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions for violations of the HIPAA privacy and security rules.
While some recent enforcement actions by state attorneys general in health data breach cases - such as the New Jersey settlement with RCCA - cited allegations of HIPAA violations in addition to state law violations, the settlement announced Monday between EyeMed and the New York attorney general only cited violations of state laws.
"While under the HITECH Act, state attorneys general can pursue HIPAA violations, there is no requirement to do so," says regulatory attorney Rachel Rose.
"In this instance, because emails were compromised, there may have been more personally identifiable information than protected health information involved. Even though PHI has components of PII, it was a call on the part of the attorney general to solely use the state law route."