New York Attorney General Letitia James has reported about the email data breach in the US healthcare sector. EyeMed Vision Care, a vision benefits provider in Ohio, will pay a financial penalty of $600,000 to resolve a data breach in 2020. It affected the personal information of 2.1 million people across the country including 98,632 New York locals.
EyeMed was found guilty of inadequate data protection and lacking of security measures such as logging of email accounts, password policy, and two-factor authentication. These deficiencies allowed hackers to get access to the company`s email accounts with valuable patient health information for the entire week.
History of EyeMed Email Data Breach
On June 24, 2020, unauthorized persons acquired access to an EyeMed email account, which contained sensitive patient information. It includes numerous lists of full names, contact details, birth dates, driver’s license numbers, complete or partial Social Security numbers, and account details for medical insurance accounts. The hacker was able to view all messages stored from 2014. The IT specialists discovered about 2,000 phishing emails to their clients on July 1, 2020. Moreover, there were lots of people concerning about such email legitimacy.
The EyeMed cybersecurity team managed then to secure the account, but it had already huge consequences. The forensic investigation confirmed that the attacker might have exfiltrated files from the email account. Nevertheless, experts could not determine whether any personal data was stolen. In September 2020, the provider notified affected individuals and gave them reparation because of HIPAA violations. They got fraud consultation, identity theft restoration services, and complimentary credit checking.
EyeMed Vision Care Violated the Security Requirements
The Office of the New York Attorney General started its own investigation of the EyeMed cyberattack. They determined that company had failed to achieve appropriate security and prevent the PHI data breach of New York residents. Although the company fits within the coverage of the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the employee did not follow its requirements.
There was no multifactor authentication and adequate password management for users. The EyeMed company neglected requirements for admin-level accounts. There also were 6 attempts before locking out the user ID. Additionally, they did not maintain sufficient logging and monitoring of email accounts. It was difficult to investigate and identify security incidents due to a lack of attention. The staff should not have kept older emails for such a long period of time without any secure system.
Penalties for Vision Benefits Provider
State attorneys general have the authority to require financial penalties for HIPAA violations. Despite the fact, it would have been possible to cite violations of HIPAA, New York only cited violations of New York General Business Law.
Firstly, EyeMed must pay a financial penalty of $600,000 under the terms of the settlement that took place in January 2022. The company will also implement several measures to strengthen cybersecurity and prevent further data breaches:
- Encrypting sensitive consumer information;
- Establishing reasonable account management and authentication;
- Reasonable penetration testing program to identify, assess, and remediate security vulnerabilities;
- Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it;
- Implementing appropriate logging and monitoring of network activity;
- Maintaining a comprehensive information security program to keep pace with changes in technology and security threats.
“New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” said Attorney General James.
