On October 18, 2022, Adrienne Harris, the Superintendent of the New York Department of Financial Services (DFS) announced a $4.5 million penalty that was imposed upon EyeMed Vision Care LLC, a licensed health insurance company, for violating New York DFS’s Cybersecurity Regulation (23 NYCRR Part 500) in connection with a 2020 data breach that exposed sensitive, nonpublic, personal health information of its customers, including minors.
EyeMed reported the breach to DFS on October 9, 2022 prompting a DFS investigation. The investigation revealed that an unauthorized individual had gained access to a shared EyeMed email mailbox which contained more than six years’ worth of consumers’ non-public information, following a phishing attack on July 1, 2020. DFS investigators confirmed that the breached mailbox, which was used to process enrollments internally by employees and externally by customers, was shared by nine EyeMed employees who accessed the mailbox using the same username and password. According to the DFS, the bad actor had access to the mailbox for approximately one week before the breach was discovered and had the ability to exfiltrate documents and sensitive information during that time.
The DFS investigation also uncovered several regulatory violations. According to the Consent Order, at the time of the breach, EyeMed was in the process of rolling out multi-factor authentication (“MFA”) for its email environment but had not yet implemented MFA for the breached mailbox, as required by Section 500.12(b) the Cybersecurity Regulation. Eyemed also permitted nine employees to share one set of login credentials for a mailbox that contained consumers’ nonpublic information in violation of Section 500.7 of the Cybersecurity Regulation, which requires companies to limit user access privileges to information systems used to access NPI. The DFS determined that EyeMed also failed to implement an adequate data minimization and disposal strategy for the breached mailbox, which allowed the bad actor to access old data that would have been disposed of had a proper minimization process been in place. In addition, the DFS discovered that, while EyeMed engaged third-party vendors to conduct periodic audits of its IT controls, the assessments did not meet the requirements in Section 500.09 of the Cybersecurity Regulation, and, as a result, the company filed improper certifications from 2017 through 2020.
The $4.5 million penalty was imposed several months after New York Attorney General Letitia James announced, in January 2022, that a $600,000 settlement had been reached with EyeMed to resolve the 2020 data breach – a breach which compromised the personal information of approximately 2.1 million consumers nationwide, over 98,000 of which were in New York. According to James, the individual responsible for the breach had access personal information, including names, mailing addresses, Social Security numbers, health and vision identification numbers and health-related information. The bad actor also allegedly sent approximately 2,000 phishing emails from the compromised email account to EyeMed clients in an attempt to obtain customers’ EyeMed login credentials. As part of the settlement, EyeMed was required to undertake numerous remedial measures, which included updates to the technology used to secure its information systems, the utilization of MFA for all administrative or remote access accounts, and the encryption of all sensitive customer information that is collected and stored on EyeMed’s system.