New York Fines Health Insurer $4.5M for Data Breach that Exposed Private Data
Health insurance company EyeMed Vision Care LLC will pay a $4.5 million penalty to New York State for violations of the state’s cybersecurity regulation that officials said exposed hundreds of thousands of consumers’ personal health data, including data concerning minors.
Under terms of the settlement with the Department of Financial Services, EyeMed cannot seek reimbursement or indemnification for the $4.5 million penalty from any insurance policy. DFS has included similar provisions in prior settlements.
DFS Superintendent Adrienne A. Harris announced the consent order. She said that her department’s investigation revealed that in the summer of 2020 a bad actor gained access to a shared EyeMed email mailbox which contained over six years’ worth of consumer non-public information.
The intrusion lasted from June 24, 2020, until July 1, 2020. The investigation was not able to determine how the unauthorized individual gained access to the mailbox, but EyeMed believes that it was likely a result of a successful phishing scheme.
DFS said it found that EyeMed had failed to implement multi-factor authentication throughout its email environment. EyeMed further failed to limit user access privileges by allowing nine employees to share login credentials to its email mailbox and failed to implement sufficient data retention and disposal processes. At the time of the cyber event, EyeMed was in the process of rolling out multi-factor authentication for its email, but did not yet have it implemented for the mailbox.
In addition, DFS discovered that EyeMed failed to conduct an adequate risk assessment, a requirement of the state’s cybersecurity regulation. While EyeMed engaged third-party vendors to conduct periodic risk management audits of IT, these assessments did not meet the standard required, DFS said.
Upon learning of the threat, EyeMed immediately blocked the unauthorized access, launched an investigation, and retained outside breach counsel. EyeMed began to notify the affected individuals and file regulatory notices in September 2020.
The DFS acknowledged EyeMed’s “commendable cooperation” throughout the investigation.
As part of the settlement, EyeMed has agreed to undertake remedial measures to better secure its data. Among other things, EyeMed will conduct a comprehensive cybersecurity risk assessment and develop a detailed action plan describing how EyeMed will address the risks identified in that assessment.
DFS said the provision barring insurance recovery has also been included in prior cybersecurity consent orders with firms including Carnival Cruises, Banner Life Insurance, Guarantr Inc. and Robinhood Crypto among others.
DFS’s cybersecurity regulation became effective in March 2017.
- Ruling on Field Stands: Philadelphia Eagles Denied Covid-19 Insurance Claim
- Report: Millions of Properties May be Underinsured Due to Multiple Undetected Structures
- Uber Warns NYC Response to Insolvent Insurer Exposes Drivers
- Sedgwick Eyes Trends and Risks in 2025 Forecast