- La preocupación por los costes pone en jaque las estrategias de IA de los CIO
- This smart air purifier effectively replaced allergy medicine for me - and it's impressively quiet
- This discounted robot vacuum conquered the toughest room in my home
- I used the Google Pixel Tablet as my smart home display - and here's how it fared
- Samsung Unpacked 2025: Everything you might've missed, Galaxy S25 Edge, AR glasses, more
EyeMed Fined $600k Over Data Breach
An Ohio-based healthcare provider has been fined $600k over a data breach that exposed the records of 2.1 million patients across America.
Cyber-criminals targeted EyeMed Vision Care in June 2020. Attackers gained access to an EyeMed email account to which EyeMed clients sent sensitive consumer data relating to vision benefits enrollment and coverage.
During the week-long intrusion, threat actors were able to view emails and attachments dating back six years. Contained within those emails and attachments was sensitive information that included consumers’ names, addresses, Social Security numbers and insurance account numbers.
In July 2020, the attackers used the compromised EyeMed account to launch a phishing attack against EyeMed clients. Approximately 2,000 emails were sent asking clients for their EyeMed account login credentials.
The healthcare provider’s IT department became aware of the phishing campaign when they started receiving emails from concerned clients who the attackers had targeted. EyeMed subsequently secured the compromised email account and launched an investigation.
The Office of the Attorney General determined that the affected email account had not been secured with multi-factor authentication at the time of the attack, despite being accessible via a web browser.
It was further determined that EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account and failed to maintain adequate logging of its email accounts.
On Monday, New York Attorney General Letitia James announced that EyeMed had agreed to pay the State of New York $600k to resolve the 2020 data breach.
“New Yorkers should have every assurance that their personal health information will remain private and protected,” said attorney general James.
“EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals.”
The data breach impacted 98,632 residents of New York. James said she wanted the agreement to signal New York’s continued commitment to holding companies accountable.
“My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information,” she added.
