Eye insurance firm agrees to $2.5 million settlement with state AGs after data breach

A major eye insurance provider will pay a fine of $2.5 million after settling a lawsuit from four states about a 2020 data breach that exposed the personal information of about 2.1 million people.

Attorneys general from New Jersey, Oregon, Florida and Pennsylvania announced the settlement this week with EyeMed Vision Care. The company violated several state consumer protection and personal information protection laws as well as the federal Health Insurance Portability and Accountability Act (HIPAA), the officials said.

Ohio-based EyeMed has 60 million clients, according to its website. The company already paid a $4.5 million penalty to New York State’s Department of Financial Services last year over the same breach and another $600,000 in a settlement with that state’s attorney general.

Among several deficiencies found in EyeMed’s data security program during the multistate investigation, the AGs said several EyeMed employees were sharing a single password to an email account used by EyeMed employees to communicate sensitive consumer information, including information related to vision benefits enrollment and coverage, to EyeMed clients.

The states involved said the money from the settlement will be divided up and used by each state’s department of justice on consumer protection and education efforts.

A hacker broke into the EyeMed email account in June 2020, exposing about six years of personal and medical information, including Social Security numbers, full names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, medical diagnoses and conditions and treatment information.

After the hack, more than 2,000 phishing emails were also sent from the compromised EyeMed email account.

“New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” said New Jersey Attorney General Matthew Platkin, noting that more than 52,000 residents of his state were affected.

“This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data,” Platkin said.

Officials noted that state and federal laws mandate proper safeguards for sensitive medical information.

Under the settlement, EyeMed must implement new privacy and security measures, hire a chief security officer, report all breaches “immediately” and refrain from “misrepresenting the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information.”

The settlement with New York in 2022 mirrored much of what was in the most recent deal but also included a stipulation that the company permanently delete consumers’ personal information “when there is no reasonable business or legal purpose to retain it.”

“EyeMed was careless with the most sensitive personal information of over two million consumers, including thousands of Oregonians, and that is simply unacceptable,” Oregon Attorney General Ellen Rosenblum said. “This settlement is about holding companies like EyeMed accountable and protecting consumers from the harms of identity theft and fraud.”