New York Attorney General Letitia James announced the first settlement deal of 2022 over a healthcare data breach. The vision benefits provider based in Ohio, Med Vision Care, is going to pay $600,000 as a financial penalty to settle a 2020 data breach that resulted in the compromise of the personal information of 2.1 million individuals nationwide, including the personal data of 98,632 residents of New York.
The data breach happened on or around June 24, 2020. Unauthorized individuals accessed an EyeMed email account that held sensitive consumer information associated with vision benefits enrollment and coverage. The attacker got access to the email account for about a week and had viewed emails and file attachments comprising a period of 6 years starting on January 3, 2014. The emails included a selection of sensitive information such as names, contact data, dates of birth, account details for health insurance accounts, driver’s license numbers, full or partial Social Security numbers, Medicaid/Medicare numbers, government ID numbers, birth/marriage certificates, diagnoses, and medical treatment details.
Between June 24, 2020 and July 1, 2020, the attackers accessed the email account via several IP addresses, some of which belonged to someone from outside the United States. On July 1, 2020, the attackers used the account to send about 2,000 phishing emails to the clients of EyeMed. The EyeMed IT division discovered the phishing emails and got several questions from clients verifying the legitimacy of the messages. The exposed account was then quickly secured.
As per the forensic investigation, the attacker may have exfiltrated information from the email account when access was possible however there’s no confirmation whether any personal data was stolen. Affected people were informed in September 2020 and were provided complimentary credit monitoring, fraud consultation, identity theft restoration services.
The Office of the New York Attorney General looked into the security incident and data breach and affirmed that, during the attack , EyeMed did not employ appropriate security procedures to avoid unauthorized persons from accessing the personal files of New York residents.
The email account can be accessed using a web browser and comprised big quantities of consumers’ sensitive data covering several years, still EyeMed was unable to use multifactor authentication on the account. EyeMed additionally was unable to use sufficient password management requirements with the email account. The password requirements for the account were not complex enough, only requiring a password having 8 characters, when it knew the great importance of password complexity since the password requirements for admin-level accounts demanded passwords with no less than 12 characters. EyeMed additionally permitted 6 failed password attempts before locking out the user ID. EyeMed had furthermore failed to keep enough email account logins and was not checking email accounts, which made it hard to identify and look into security incidents. It was likewise unreasonable to keep consumer data in the email account for a long time. Older emails should be transferred to more secure systems and be erased from the email account.
State attorneys general are authorized to issue financial penalties for HIPAA violations as HIPAA violations could be cited; nonetheless, New York merely mentioned New York General Business Law violations.
Based on the conditions of the settlement, EyeMed needs to pay a financial fine of $600,000 and should use certain measures to enhance security and avoid further data breaches. Those measures consist of:
- Observing a detailed information security program that is frequently upgraded to keep pace with improvements in technology and security threats
- Keeping appropriate account management and authentication, which include the use of multi-factor authentication for all administrative or remote access accounts
- Encrypting sensitive client information
- Performing an acceptable penetration testing program to determine, evaluate, and remediate security issues
- Using and maintaining proper logging and checking of network activity
- Permanently erasing consumers’ personal records when there is no valid business or legal reason to keep them.
New Yorkers ought to be assured that their personal health information (PHI) will stay private and protected. EyeMed broke that trust by not keeping an eye on its own security system, which consequently breached the personal data of a lot of persons. Attorney General James states that his office will continue to hold companies accountable and make sure to consider the best interest of New Yorkers. Potential violations will be actively monitored to protect New Yorkers and their personal data.