EyeMed fined $600k for email data breach

Featured image

Share this article

State of New York Attorney General logo and Eye Med logo

Ohio-based benefits provider EyeMed Vision Care LLC has reached a settlement with the New York attorney general’s office over an email data breach in 2020. As part of the settlement, EyeMed will pay a $600,000 fine and implement data security measures. The data breach affected 2.1 million individuals nationwide and almost 99,000 New Yorkers.

Read more: HIPAA compliant email: the definitive guide

What happened?

In June 2020, cybercriminals gained access to an EyeMed email account by entering “login credentials via a web browser and mail client.” The email account contained 6 years worth of data, including patient names, addresses, Social Security numbers, and insurance account numbers. 

On July 1, 2020, cybercriminals used the same email account to launch phishing attacks to EyeMed clients. The phishing emails asked clients to provide their login credentials. Concerned clients then reached out to EyeMed about the suspicious emails they received, and the IT department observed the unauthorized activity.

Subsequently, EyeMed blocked access to the compromised email account and launched an investigation that confirmed the email data breach.

What did the New York attorney general investigation reveal about EyeMed’s security protocols?

The New York attorney general’s office conducted an investigation that revealed that EyeMed was missing several security protocols. The settlement document points to 4 areas that EyeMed did not meet requirements to protect personal information.

Multi-factor authentication (MFA): EyeMed didn’t implement MFA protocols for the affected email account, despite the account being accessible via a web browser and containing large amounts of sensitive information.

Password management: EyeMed failed to have a robust password policy. The investigation revealed that the password was “insufficiently complex” and permitted up to six failed login attempts before locking out the user ID.

Logging and monitoring: EyeMed had limited logging and monitoring capabilities, which made it difficult to determine what documents or emails were accessed by the cybercriminals. 

Data retention: The EyeMed email account had emails from as far back as 2014. It was unreasonable to have a high amount of personal data contained within one account and not store older data in a more secure system.

The investigation concluded that EyeMed didn’t have the appropriate safeguards implemented in its network and failed to protect personal data.

What happens to EyeMed now?

EyeMed agreed to pay a $600,000 fine to the State of New York. It also agreed to implement data security measures to minimize the chance of data breaches occurring in the future. According to a press release, these measures include:

EyeMed has offered affected clients complimentary credit monitoring, fraud consultation, and identity theft restoration.

Don’t let email security become an afterthought

The EyeMed email security breach was easy to prevent. But EyeMed failed to implement the appropriate safeguards to protect patient data. 

Paubox Email Suite Premium makes it simple and easy to keep patient data secure. It uses robust inbound security tools to stop malicious emails from entering your employees’ inboxes. It also includes email archiving, which can take old emails and attachments, encrypt them, and store them in a secure and searchable database.

Our HITRUST CSF certified software makes it easy to automatically send HIPAA compliant email to your patients. Doctors can directly communicate with patients, which means you can say goodbye to patient portals and hello to an increase in patient engagement.

Try Paubox Email Suite Premium for FREE today.
Author Photo

About the author

Sara Nguyen

Read more by Sara Nguyen

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022