EyeMed has agreed to $600,000 in penalties to settle the case of a 2020 data breach that exposed the information of roughly 2.1 million consumers.
The agreement was announced this week. According to New York Attorney General Letitia James, the data breach exposed sensitive information, including names, mailing addresses, full or partial Social Security numbers, dates of birth, driving licenses, healthcare IDs, diagnoses and condition notes, and treatment information.
Out of the 2.1 million individuals involved in the security incident, 98,632 New York state residents.
Based in Cincinnati, Ohio, EyeMed Vision Care is a network provider for independent optometrists, opticians, ophthalmologists, as well as eye doctors in retail settings. The organization caters to over 60 million users.
According to court documents (.PDF), on or around June 24, 2020, an unknown attacker used stolen credentials to access an enrollment email account used by EyeMed. Over the course of a week, the threat actor was able to view correspondence and access sensitive consumer data.
The cybercriminal was able to exfiltrate this data, in theory, but a cyberforensics firm hired to investigate the incident was unable to conclude whether or not they did steal consumer information.
In July, the attacker then used the email account to send roughly 2,000 phishing emails to clients.
"The phishing messages purported to be a request for proposal to deceive recipients into providing credentials to the attacker," the settlement document reads.
EyeMed was alerted to the intrusion once the scam messages were sent and booted the attacker from its system.
It took a further two months before impacted clients began to be notified of the data breach -- and as this has been conducted on a rolling basis, customers were still being told up to January 2021.
Clients have been offered credit monitoring services, fraud consultation, and identity theft restoration. Minors, too, were affected -- and for this group, EyeMed has also offered Social Security Number trace.
The Office of the Attorney General launched its own investigation into the data breach and concluded that the original email account was not protected with multi-factor authentication (MFA).
"Additionally, EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account given that it was accessible via a web browser and contained a large volume of sensitive personal information," the office says. "The company also failed to maintain adequate logging of its email accounts, which made it difficult to investigate security incidents."
Under the terms of the agreement, EyeMed will pay the state of New York penalties totaling $600,000. In addition, the company must improve its cybersecurity posture maintain "reasonable" account management protocols, including the implementation of MFA in remote and administrative settings, and sensitive information collected from consumers must be encrypted.
If it is no longer necessary to store consumer information, the company is now under orders to permanently delete it.
A penetration testing program must also be implemented to identify any vulnerabilities or further security issues in the EyeMed network.
"New Yorkers should have every assurance that their personal health information will remain private and protected," commented Attorney General James. "EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals. Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers' best interest."
ZDNet has reached out to EyeMed with additional queries, and we will update when we hear back.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0