EyeMed Vision Care has decided to settle a class action lawsuit associated with a data breach in June 2020 for $5 million. The company discovered the data breach on July 1, 2025 after noticing suspicious activity in the email account of an employee. An employee responded to a phishing email thus enabling access to the email account on June 24, 2020. From June 24, 2020 to July 1, 2020, the attacker accessed the account and sent approximately 2,000 phishing emails.
According to the investigation, the account stored emails for the past 6 years. Those emails contained the personal data and protected health information (PHI) of 2.1 million people. Data exposed because of the incident included names, birth dates, Social Security numbers, contact data, vision insurance account/ID numbers, medical conditions and diagnoses, and treatment details.
In January 2021, plaintiff Chandra Tate filed the first class action lawsuit because of the data breach. A week later, a second class action lawsuit was filed. The two lawsuits were combined since they had similar claims. The Tate, et al. v. EyeMed Vision Care, LLC lawsuit stated claims of negligence, negligence per se, unjust enrichment, breach of implied contract, and violations of the California Consumer Privacy Act, the California Confidentiality of Medical Information Act, and California’s unfair competition law.
EyeMed Vision Care submitted a motion to dismiss. The negligence claim was dismissed, but the other claims continued. EyeMed Vision Care rejects all claims and allegations in the lawsuit and states no wrongdoing or liability. Nevertheless, it has decided to resolve the lawsuit to avoid the risks, costs, and uncertainty of ongoing litigation.
In June 2024, all parties involved in the negotiation reached a settlement deemed fair to all parties. Judge Douglas R. Cole of the U.S. District Court for the Southern District of Ohio, Western Division, gave preliminary approval of the settlement. The terms of the settlement require EyeMed Vision Care to fund the settlement with $5 million to pay the legal counsel fees and expenditures, service awards, and settlement management costs. The remaining settlement fund will be paid to class members.
Class members can select a $50 cash payment, which could be higher or lower, subject to the number of submitted claims. Furthermore, class members may submit a claim for as much as four hours of lost time worth $25 an hour (max $100) for time spent addressing problems linked to the data breach. A claim could also be filed for refund of documented, unreimbursed out-of-pocket expenditures as a result of a data breach, as much as $10,000 per class member, which includes any claim for lost time. Claims will be adjusted pro rata if the $5,000,000 settlement fund is not enough.
EyeMed likewise consented to improve its company practices, which include stricter authorization requirements, offering the employees supplemental HIPAA training on security awareness, changing its requirements for resetting internal passwords, doing audits for weak passwords, improving its multifactor authentication requirements, reducing the time frame for mailbox data retention, and hiring a third-party vendor to perform an updated HIPAA risk evaluation. People wanting to object to or be excluded from the settlement can do so until November 11, 2025. The last day to submit a claim is December 11, 2025. The schedule of the final fairness hearing is January 7, 2026.
EyeMed Vision Care has reached the following other settlements involving a data breach:
- In January 2022, EyeMed Vision Care agreed to pay a $600,000 fine to the New York Attorney General to settle alleged New York General Business Law violations
- Later in 2022, EyeMed Vision Care paid the New York State Department of Financial Services (DFS) a $4.5 million fine for alleged DFS Cybersecurity Regulation violations
- In 2023, EyeMed Vision Care paid a $2.5 million penalty to settle a multi-state data breach involving the Florida, Oregon, New Jersey, and Pennsylvania Attorneys General.
To date, the total class action settlement paid by EyeMed Vision Care is $12,600,000.