Ohio-based benefits provider EyeMed Vision Care LLC has reached a settlement with the New York attorney general’s office over an email data breach in 2020. As part of the settlement, EyeMed will pay a $600,000 fine and implement data security measures. The data breach affected 2.1 million individuals nationwide and almost 99,000 New Yorkers.
Read more: HIPAA compliant email: the definitive guide
In June 2020, cybercriminals gained access to an EyeMed email account by entering “login credentials via a web browser and mail client.” The email account contained 6 years worth of data, including patient names, addresses, Social Security numbers, and insurance account numbers.
On July 1, 2020, cybercriminals used the same email account to launch phishing attacks to EyeMed clients. The phishing emails asked clients to provide their login credentials. Concerned clients then reached out to EyeMed about the suspicious emails they received, and the IT department observed the unauthorized activity.
Subsequently, EyeMed blocked access to the compromised email account and launched an investigation that confirmed the email data breach.
What did the New York attorney general investigation reveal about EyeMed’s security protocols?
The New York attorney general’s office conducted an investigation that revealed that EyeMed was missing several security protocols. The settlement document points to 4 areas that EyeMed did not meet requirements to protect personal information.
Multi-factor authentication (MFA): EyeMed didn’t implement MFA protocols for the affected email account, despite the account being accessible via a web browser and containing large amounts of sensitive information.
Password management: EyeMed failed to have a robust password policy. The investigation revealed that the password was “insufficiently complex” and permitted up to six failed login attempts before locking out the user ID.
Logging and monitoring: EyeMed had limited logging and monitoring capabilities, which made it difficult to determine what documents or emails were accessed by the cybercriminals.
Data retention: The EyeMed email account had emails from as far back as 2014. It was unreasonable to have a high amount of personal data contained within one account and not store older data in a more secure system.
The investigation concluded that EyeMed didn’t have the appropriate safeguards implemented in its network and failed to protect personal data.
What happens to EyeMed now?
EyeMed agreed to pay a $600,000 fine to the State of New York. It also agreed to implement data security measures to minimize the chance of data breaches occurring in the future. According to a press release, these measures include:
- Maintaining a comprehensive information security program
- Using multi-factor authentication
- Encrypting protected health information (PHI) that it stores, transmits, maintains, or collects
- Conducting penetration testing
- Implementing appropriate logging and monitoring of network activity
- Permanently delete consumer information if there is no business or legal reason to keep it
EyeMed has offered affected clients complimentary credit monitoring, fraud consultation, and identity theft restoration.
Don’t let email security become an afterthought
The EyeMed email security breach was easy to prevent. But EyeMed failed to implement the appropriate safeguards to protect patient data.
Paubox Email Suite Premium makes it simple and easy to keep patient data secure. It uses robust inbound security tools to stop malicious emails from entering your employees’ inboxes. It also includes email archiving, which can take old emails and attachments, encrypt them, and store them in a secure and searchable database.
Our HITRUST CSF certified software makes it easy to automatically send HIPAA compliant email to your patients. Doctors can directly communicate with patients, which means you can say goodbye to patient portals and hello to an increase in patient engagement.