Vision care provider paying $4.5M to settle N.Y. cybersecurity suit
A vision care provider is paying $4.5 million to settle a cybersecurity lawsuit filed by the New York Department of Financial Services in connection with a 2020 phishing attack that led to the exposure of hundreds of thousands of consumers’ private information.
The DFS said in a statement Tuesday that as a result of the attack, a bad actor gained access to a shared email box of Columbus, Ohio-based EyeMed Vision Care LLC, a licensed health insurance company, that contained more than six years’ worth of consumer nonpublic information, including that of minors.
According to the settlement agreement, the intrusion lasted from June 24, 2020, until July 1, 2020. EyeMed began to notify affected individuals and file regulatory notices on Sept. 28, 2020, the agreement said.
The agreement says the company violated New York’s cybersecurity regulation by delaying implementing required multifactor authentication, and did not conduct a required risk assessment.
It said at the time of the event, nine EyeMed employees shared login credentials to a mailbox protected only with a weak password.
The agreement says EyeMed has made “ongoing and completed efforts to remediate the shortcomings” identified in the consent order, and that it will continue to strengthen its cybersecurity controls.
“It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” Superintendent of Financial Services Adrienne A. Harris said in a statement.
New York’s cybersecurity regulation, which became effective in March 2017, requires insurers and other financial institutions to put in place controls to ensure a robust cybersecurity program.
An EyeMed spokesperson and its attorneys could not be reached for comment.
Gloss