New York Attorney General Letitia James announced the state has reached a settlement with EyeMed to resolve allegations of security failings found during an investigation of a 2020 email hack. (Photo by Michael M. Santiago/Getty Images)

EyeMed reached a $600,000 settlement with the state of New York to resolve a number of allegations against its data security program, revealed during the state’s investigation into the healthcare business associate following a 2020 data breach that impacted 2.1 million individuals.

Eyecare giant Luxottica owns EyeMed, which provides vision benefits for a number of health insurance companies.

“EyeMed betrayed trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” New York Attorney General Letitia James said in a statement. 

“Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest,” she added. “My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”

In December 2020, EyeMed reported falling victim to an email hack that was first discovered several months earlier in July. An attacker gained access to an employee email account and sent phishing emails to contacts found in the account’s address book on July 1.

What was not disclosed in EyeMed’s breach notification was that the impacted account was an enrollment account tied to EyeMed clients, and the attacker sent at least 2,000 phishing emails from the account after gaining access.

The emails “purported to be a request for proposal to deceive recipients into providing credentials to the attacker. Later the same day, EyeMed’s IT department observed the transmission of these phishing emails from the email account, and received inquiries from clients about the suspicious email.”

Further, while the breach notification said the account access was blocked and the mailbox secured on the same day it was discovered, the hack actually began on June 24, a week before it was discovered.

EyeMed’s investigation determined the account contained a trove of sensitive information from both current and former vision benefits members of multiple insurance clients, including 484,154 Aetna ACE plan members and 60,545 Tufts Health Plan members.

The data included vision and health insurance account and identification numbers, Medicaid or Medicare numbers, driver’s licenses, government IDs, and birth or marriage certificates. For some of the impacted members, the compromised information could include partial or full Social Security numbers, financial data, diagnoses, health conditions, treatments, and other data.

Problems meeting state law revealed during breach investigation

The state’s investigation into the data breach revealed further insights into the hacking incident and identified key areas where EyeMed did not meet the requirements of New York’s General Business Law.

For one, EyeMed did not have multi-factor authentication implemented on the impacted account, “despite the fact that the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information.”

The report found that the vendor was aware of the importance of MFA for reasonable data protections, as EyeMed required MFA for its virtual private network (VPN) for a number of years prior to the email incident.

In addition, investigators determined EyeMed did not employ sufficient password management requirements for the impacted enrollment email account despite the web browser access point. The minimum password requirement for the account was just eight characters.

“The password that the attacker used to gain access to the account was insufficiently complex given the sensitivity of the information in the enrollment account,” according to the report. The findings show that EyeMed was aware of the importance of password complexity, as its requirements for accounts with elevated privileges were at least 12 characters.

The report shows that EyeMed’s settings allowed six failed login attempts before it would lock out a user.

The state also determined EyeMed did not have adequate logging and monitoring of its email accounts, which made “it difficult to investigate security incidents.” EyeMed was using an Office 365 E3 license for the email account at the time of the hack, which provided limited logging capabilities and did not record logs for more than 90 days, or give visibility into user activities.

As a result, EyeMEd couldn’t see when email items were accessed, replied to, or forwarded beyond 90 days, nor could they identify when or what a user searched.

The forensic cybersecurity firm brought on to investigate the incident in 2020 was thereby unable “to definitively determine what emails or documents were accessed by the unauthorized user.”

The investigation also revealed that the hacked account contained customer information from six years prior to the breach, as the account was used by EyeMed clients to change vision coverage and held data that dated back to Jan. 3, 2014.

The state asserted “it was unreasonable to leave personal information in the affected email account for up to six years rather than to copy and store such information in more secure systems and delete the older messages from the affected email account, particularly in light of the unreasonable protections for the affected email account at the time of the breach.”

The findings show that EyeMed violated the state’s Executive Law and the General Business Law. EyeMed did not confirm or deny the findings.

EyeMed must modify policies under settlement terms

Under the settlement, EyeMed must modify its policies and procedures to adhere to the state’s laws for the collection, use, and maintenance of personal data. The vendor is also required to modify its information security program to, at a minimum, meet the requirements outlined in the report.

The security program must meet reasonable administrative, technical, and physical safeguards appropriate for the complexity of EyeMed’s operations and the sensitivity of the data in its possession.

In addition to improving its authentication, logging, and access posture, EyeMed is now required to encrypt private information as required by the state’s General Business law, “whether stored within the EyeMed computer network, or transmitted electronically within or outside the network, using a reasonable encryption algorithm where technically feasible.”

EyeMed is also required to maintain a reasonable pen testing program to identify and remediate vulnerabilities in its network, which must include routine pen testing, risk-based vulnerability ratings, and remediation practices consistent with industry standards.

Most importantly, “EyeMed shall permanently delete customer personal information when there is no reasonable business or legal purpose to retain it.” The vendor must pay the $600,000 fine to the state within 45 days and provide certification that it’s met these new security requirements.

State settlements over healthcare data breaches have become increasingly common in the last two years, given the pandemic focus and as the Department of Health continues its focus on enforcing the right of access rule outlined in The Health Insurance Portability and Accountability Act.

New Jersey has been particularly active in these enforcements, issuing fines for at least four healthcare companies in the last quarter, including Diamond Institute for Infertility and Menopause, Regional Cancer Care Associates, and two mailing and printing vendors.

Healthcare provider organizations should view these settlements as a warning and review the investigatory reports to determine how their security programs stack up, particularly with data retention and authentication requirements.