On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.
In the phishing attack, which lasted for several days in June and July 2020, a threat actor gained access to an EyeMed email folder that contained six years’ worth of sensitive, personal health data, including data concerning minors. The NYDFS’s consent order notes that EyeMed’s failure to comply with the Cybersecurity Regulation left EyeMed vulnerable to threat actors. Specifically, the regulator found that EyeMed failed to implement multi-factor authentication in its email systems, did not limit user access privileges to accounts containing sensitive information, and failed to implement sufficient data retention and disposal protocols. According to the consent order, the mailbox containing sensitive consumer information was protected by a weak password that was shared by nine employees. The NYDFS also discovered that EyeMed failed to conduct adequate cybersecurity risk assessments, and as a result, the company’s cybersecurity certifications for the calendar years 2017 through 2020 were “improper.”
As part of the settlement, EyeMed agreed to conduct a comprehensive cybersecurity risk assessment and prepare an action plan that addresses the risks identified in that assessment.