May 28, 2023

New Jersey AG announces $2.5 million multistate data breach settlement with insurance company

New Jersey Attorney General Matthew Platkin recently announced a $2.5 million settlement with EyeMed Vision Care LLC, a health insurance company, to resolve allegations that a data breach, which lasted from June 24, 2020 to July 1, 2020, and compromised the personal and medical information of approximately 2.1 million people nationwide, violated various state consumer protection and personal data protection laws.  The multistate settlement was led by the attorneys general of New Jersey, Oregon and Florida, and joined by Pennsylvania.

The New Jersey AG reports that the settlement was entered after a multistate investigation revealed that EyeMed data security program deficiencies contributed to the data breach – deficiencies that allegedly violated the federal Health Insurance Portability and Accountability Act (“HIPPA”).  More specifically, the investigation revealed that the network breach occurred when an unauthorized user gained access to an EyeMed email account that was used by employees to communicate sensitive consumer information and accessed by several employees who shared a single password.

In addition to the monetary payout, EyeMed agreed to implement and maintain certain privacy and security measures, including the maintenance of a security program that complies with HIPPA and state consumer and personal protection laws; the implementation of certain authentication requirements that prohibit shared individual user accounts and require multifactor authentication; the encryption of consumers’ personal information and personal health information; the continued development and implementation of a written Information Security Program (“ISP”) that complies with applicable laws and regulations; and the continued employment of an executive or officer responsible for implementing and monitoring the ISP.

The latest multi-state settlement follows the October 2022 imposition of a $4.5 million penalty by the New York Department of Financial Services (“NYDFS”) for alleged violations of the NYDFS Cybersecurity Regulation, and the announcement by New York AG Letitia James in January 2022 of a $600,000 settlement with EyeMed, each stemming from the 2020 breach.  As a result, the 2020 security breach has resulted in over $7.6 million in regulatory liabilities thus far for EyeMed.

New Jersey AG Press Release | Consent Order | New York AG Press Release (2022)