New York's Department of Financial Services announced a $4.5 million settlement with EyeMed Vision Care for a 2020 email hack and data breach. (Photo by Kevork Djansezian/Getty Images)

The state of New York has slapped EyeMed Vision Care with yet another fine over its massive 2020 email hack and healthcare data breach. This time the vision benefits company will pay a $4.5 million penalty for multiple security violations that “contributed to” the data exposure.

The state’s investigation into the insurer found “EyeMed’s lack of compliant cybersecurity risk assessment to evaluate and address the risks to its information systems and non-public information stored on its networks left EyeMed vulnerable to threat actors, including the threat actor who initiated the cyber event,” according to the report.

The settlement was announced as part of New York’s Department of Financial Services’ cybersecurity regulation that mandates a set of responsible security standards for businesses. Drawn into effect in March 2017, it “served as a model for other regulators,” including the FTC, multiple states, and other security models.

The law includes standards for industry compliance, consumer data protection, cybersecurity controls, and timely reporting of cybersecurity events. The DFS investigation into EyeMed found multiple violations of these requirements.

“It is critically important that consumers’ non-public information is kept safe from potential criminal activity,” Superintendent of Financial Services Adrienne A. Harris said in the release. “This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.”

DFS launched an investigation into EyeMed following its breach notification in December 2020 that reported an email hack first discovered five months earlier. A threat actor used the access to a single employee email account to send phishing emails to contacts within the address book.

An earlier settlement with New York for $600,000 that followed a state investigation, revealed several discrepancies with EyeMed’s breach notification.

First, EyeMed did not disclose that the attacker actually sent at least 2,000 phishing emails from the compromised account during the dwell time. The emails impersonated proposal requests that aimed to dupe victims into sharing their credentials.

Further, the IT team received inquiries from clients and detected the suspicious transmissions on July 1. While EyeMed previously reported the account access was blocked and secured on the same day it was discovered, the previous investigation found the hack began a week before it was discovered.

In total, the data of 2.1 million current and former vision benefits members of multiple insurance clients was compromised by the incident.

The data included vision and health insurance account and identification numbers, Medicaid or Medicare numbers, driver’s licenses, government IDs, and birth or marriage certificates. Some members saw their Social Security numbers, financial data, diagnoses, health conditions, treatments, and other sensitive data.

Investigation reveals major security failures by insurer

The findings of the DFS investigation into EyeMed found deeper security failings than previously disclosed.

The audit revealed that EyeMed had violated the DFS’s cybersecurity regulation by failing to implement multi-factor authentication within its email environment. The state regulation requires MFA to be used for any users “accessing a covered entity’s internal network from an external network.”

“At the time of the cyber event, EyeMed was in the process of rolling out MFA for its email environment, but did not yet have MFA implemented for the mailbox, as required by the cybersecurity regulation,” according to the report.

In addition, EyeMed transitioned its email system to Microsoft Office 365 18 months before the hack. Although the regulation went into effect on March 1, 2018, the MFA implementation did not begin until March 2020, two years later. The O365 accessed the internal networks during the time MFA was not fully implemented. The MFA project was not completed until September 2020.

DFS found that “the delay in MFA implementation left EyeMed’s information systems and its consumers’ non-public information vulnerable to threat actors.”

Further, the investigation found the insurer failed to limit user access privileges. In fact, nine employees were allowed to share login credentials to the email account behind the weeklong hack.

EyeMed also failed to implement sufficient data retention and disposal processes required by DFS. Namely, the hacked account contained “over six years’ worth of consumer non-public information, including that of minors.” To DFS, “had these controls been in place, the July 1, 2020, cybersecurity event could have been prevented or been limited in scope."

DFS also found EyeMed hadn’t conducted an adequate risk assessment between 2018 and 2021, which would have identified the access privilege and data disposal risks tied to its email accounts.

Notably, had EyeMed conducted the risk assessment it could have avoided several of the violations found by DFC, including the requirement to leverage an adequate risk assessment to then build an effective cybersecurity program able to “address information security, access controls and identity management, and customer data privacy.”

The finding also suggests that after discovering the email hack and conducting its investigation over the course of five months in 2020, EyeMed still didn’t perform a risk assessment for more than a year after the incident. A risk assessment is not only a core requirement of DFS, it’s also mandated by The Health Insurance Portability and Accountability Act.

The report shows “to date, EyeMed has not conducted a risk assessment that complies with the requirements of the cybersecurity regulation.” Although the insurer has a third-party vendor conduct “periodic audits” of its IT controls and “enterprise risk management reviews,” it does not meet the regulatory standards. What’s more, these vendor assessments did not cover the email system where the hack occurred.

DFS added that “as a result, EyeMed’s cybersecurity certifications for the calendar years 2018 through 2021 were improper.”

Lastly, EyeMed was also found to have violated the DFS requirement to annually certify compliance with the cybersecurity regulation.

The multi-million dollar settlement also requires EyeMed to “undertake significant remedial measures to better secure its data.” The insurance carrier must take on a comprehensive cybersecurity risk assessment, then develop a plan to address any risks identified during its audit. DFS will then review and approve the plan.