38° and Partly Cloudy
EyeMed Vision Care Settles for $2.5 Million Over Data Breach Impacting Millions, Including 52,000 New Jersey Residents
EyeMed Vision Care, one of the nation's leading vision benefits providers, has agreed to a $2.5 million settlement over a data breach that compromised the personal and medical information of approximately 2.1 million people. The breach, which occurred in June 2020, affected over 52,000 New Jersey residents, as announced today by Attorney General Matthew J. Platkin. The settlement was co-led by New Jersey, Oregon, and Florida, with Pennsylvania also participating.
The multistate investigation uncovered deficiencies in EyeMed's data security program, including the violation of state consumer protection laws, personal information protection laws, and the federal Health Insurance Portability and Accountability Act (HIPAA). The investigation revealed that the breach was partly due to multiple EyeMed employees sharing a single password to an email account used to communicate sensitive consumer information.
The breached email account contained approximately six years' worth of personal and medical data, including Social Security numbers, full names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, medical diagnoses, conditions, and treatment information. Following the unauthorized access, about 2,000 phishing emails were sent from the compromised account.
Commenting on the breach, Attorney General Platkin stated, "New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures." He added that the settlement aims to not just impose a monetary penalty but to instigate a change in companies' behaviors for better protection of patient data.
Cari Fais, Acting Director of the Division of Consumer Affairs, echoed this sentiment, emphasizing the commitment of the Division to protect New Jersey residents and their personal information.
As part of the settlement, EyeMed agreed to a series of enhanced privacy and security measures to improve the protection of consumers’ information. These measures include compliance with state and federal laws, non-misrepresentation of its data protection practices, development of a written Information Security Program, employment of an executive responsible for this program, immediate reporting of data breaches, and improved controls to manage access to accounts that handle sensitive information.
The settlement underscores the importance of robust data security measures in an increasingly digital age, particularly for companies handling sensitive medical and personal information. Companies are reminded of their duty to protect their clients' information and the potential legal and financial consequences of failing to do so.
