New York State announces $4.5M settlement with Eyemed Vision Care

By Press Release

New York State Superintendent of Financial Services Adrienne A. Harris announced today that EyeMed Vision Care LLC (“EyeMed”) will pay a $4.5 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ sensitive, non-public, personal health data, including data concerning minors.

“It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” said Superintendent Harris. “This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.”

EyeMed, a licensed health insurance company, collects non-public information from its customers in the normal course of business. The Department’s investigation revealed that as a result of a July 1, 2020 phishing attack, a bad actor gained access to a shared EyeMed email mailbox which contained over six years’ worth of consumer non-public information (“NPI”), including that of minors.

Upon further investigation, the Department found that, among other things, EyeMed had violated the Department’s cybersecurity regulation by failing to implement multi-factor authentication (“MFA”) throughout its email environment. Moreover, EyeMed failed to limit user access privileges by allowing nine employees to share login credentials to the affected email mailbox and failed to implement sufficient data retention and disposal processes, resulting in over six years’ worth of consumer data being accessible through the affected email mailbox. Had these controls been in place, the July 1, 2020 cybersecurity event could have been prevented or been limited in scope.

In addition, the Department discovered that EyeMed failed to conduct an adequate risk assessment, a core requirement of the cybersecurity regulation, which could have identified the user access privilege and data disposal risks associated with the email mailbox that was subjected to the phishing attack. As a result, EyeMed’s cybersecurity certifications for the calendar years 2018 through 2021 were improper.

As part of the settlement, EyeMed agreed to undertake significant remedial measures to better secure its data. Among other things, EyeMed will conduct a comprehensive cybersecurity risk assessment and develop a detailed action plan describing how EyeMed will address the risks identified in that assessment. The action plan will be subject to the review and approval of the Department.

DFS’s Cybersecurity Regulation became effective in March 2017 and it has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the CSBS Nonbank Model Data Security Law. 