DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

AG Platkin Co-Leads $2.5-Million Multistate Settlement with EyeMed Over 2020 Data Breach

Posted on May 17, 2023 by Dissent

NEWARK–Attorney General Matthew J. Platkin announced today that New Jersey is co-leading, with Oregon and Florida, an overall $2.5-million settlement with EyeMed Vision Care (“EyeMed”) that resolves an investigation into a data breach that compromised the personal and medical information of approximately 2.1 million people, including more than 52,000 from New Jersey. Pennsylvania also joined in the multistate settlement.

The multistate investigation found deficiencies in EyeMed’s data security program that contributed to the breach in violation of state consumer protection and personal information protection laws and the federal Health Insurance Portability and Accountability Act (“HIPAA”).  Among other security lapses, several EyeMed employees were sharing a single password to an email account used by EyeMed employees to communicate sensitive consumer information, including information related to vision benefits enrollment and coverage, to EyeMed clients.

An unauthorized user gained access to the EyeMed email account in June 2020, exposing approximately six years of personal and medical information, including Social Security numbers, full names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information. After the unauthorized user gained access, approximately 2,000 phishing emails were sent from the compromised email account.

“New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” said Attorney General Platkin. “This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data.”

Under state and federal law, providers that handle sensitive medical and client information, such as EyeMed, are required to implement and use appropriate safeguards to protect sensitive consumer information and identify potential threats.

“The Division of Consumer Affairs is committed to protecting New Jersey residents and their personal information wherever it is stored,” said Cari Fais, Acting Director of the Division of Consumer Affairs. “Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures.”

Under the settlement EyeMed has agreed to implement additional privacy and security measures to improve the protection of consumers’ information. These include:

  • Complying with the state Consumer Protection Acts, the state Personal Information Protection Acts, and the federal HIPAA law;
  • Not misrepresenting the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information;
  • Continuing to develop, implement, and maintain a written Information Security Program that will comply with applicable laws and regulations;
  • Continuing to employ an executive or officer who shall be responsible for implementing, maintaining, and monitoring the Information Security Program;
  • Reporting all data breaches immediately;
  • Maintaining reasonable policies and procedures governing its collection, use, and retention of patient information; and
  • Maintaining appropriate controls to manage access to all accounts that receive and transmit sensitive information, including, but not limited to, instituting appropriate authentication measures.

The State is represented by Section Chief Kashif Chand and Deputy Attorney General Gina Pittore of the Data Privacy & Cybersecurity Section in the Division of Law’s Affirmative Civil Enforcement Practice Group, under the supervision of Assistant Attorney General Jennifer S. Schiefelbein, Deputy Director Jason W. Rockwell, and Director Michael T.G. Long. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.

Source: NJ Attorney General’s Office

This is not the first settlement stemming from that incident. In January, 2022,  New York Attorney General James announced a $600,000 settlement with EyeMed, and in October 2022, the New York Department of Financial Services settled charges against EyeMed with a $4.5 million penalty and remedial cybersecurity plan.

Category: Health DataPhishingU.S.

Post navigation

← #StopRansomware: BianLian Ransomware Group
Re-Victimization from Police-Auctioned Cell Phones →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.