NEWARK–Attorney General Matthew J. Platkin announced today that New Jersey is co-leading, with Oregon and Florida, an overall $2.5-million settlement with EyeMed Vision Care (“EyeMed”) that resolves an investigation into a data breach that compromised the personal and medical information of approximately 2.1 million people, including more than 52,000 from New Jersey. Pennsylvania also joined in the multistate settlement.
The multistate investigation found deficiencies in EyeMed’s data security program that contributed to the breach in violation of state consumer protection and personal information protection laws and the federal Health Insurance Portability and Accountability Act (“HIPAA”). Among other security lapses, several EyeMed employees were sharing a single password to an email account used by EyeMed employees to communicate sensitive consumer information, including information related to vision benefits enrollment and coverage, to EyeMed clients.
An unauthorized user gained access to the EyeMed email account in June 2020, exposing approximately six years of personal and medical information, including Social Security numbers, full names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information. After the unauthorized user gained access, approximately 2,000 phishing emails were sent from the compromised email account.
“New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” said Attorney General Platkin. “This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data.”
Under state and federal law, providers that handle sensitive medical and client information, such as EyeMed, are required to implement and use appropriate safeguards to protect sensitive consumer information and identify potential threats.
“The Division of Consumer Affairs is committed to protecting New Jersey residents and their personal information wherever it is stored,” said Cari Fais, Acting Director of the Division of Consumer Affairs. “Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures.”
Under the settlement EyeMed has agreed to implement additional privacy and security measures to improve the protection of consumers’ information. These include:
- Complying with the state Consumer Protection Acts, the state Personal Information Protection Acts, and the federal HIPAA law;
- Not misrepresenting the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information;
- Continuing to develop, implement, and maintain a written Information Security Program that will comply with applicable laws and regulations;
- Continuing to employ an executive or officer who shall be responsible for implementing, maintaining, and monitoring the Information Security Program;
- Reporting all data breaches immediately;
- Maintaining reasonable policies and procedures governing its collection, use, and retention of patient information; and
- Maintaining appropriate controls to manage access to all accounts that receive and transmit sensitive information, including, but not limited to, instituting appropriate authentication measures.
The State is represented by Section Chief Kashif Chand and Deputy Attorney General Gina Pittore of the Data Privacy & Cybersecurity Section in the Division of Law’s Affirmative Civil Enforcement Practice Group, under the supervision of Assistant Attorney General Jennifer S. Schiefelbein, Deputy Director Jason W. Rockwell, and Director Michael T.G. Long. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.
Source: NJ Attorney General’s Office
This is not the first settlement stemming from that incident. In January, 2022, New York Attorney General James announced a $600,000 settlement with EyeMed, and in October 2022, the New York Department of Financial Services settled charges against EyeMed with a $4.5 million penalty and remedial cybersecurity plan.