The Luxottica Group PIVA-owned vision benefits provider, EyeMed, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state data privacy and protection laws with Oregon, New Jersey, Florida, and Pennsylvania and will pay a $2.5 million penalty. EyeMed previously settled a similar investigation with New York and agreed to pay a $4.5 million penalty.
An investigation was launched following a report of a breach of the protected health information of 2.1 million people in 2020. An unauthorized individual had gained access to an employee’s email account in June 2020 and was able to access approximately 6 years of personal and medical information, including names, addresses, email addresses, diagnoses, treatment information, and Social Security numbers. The compromised email account was used to send around 2,000 phishing emails before the breach was detected and blocked.
The multistate investigation identified deficiencies in EyeMed’s information security program, which contributed to the cause of the data breach. For instance, several EyeMed employees were sharing a single password to an email account that was used to send emails containing sensitive consumer information to EyeMed clients, including information related to vision benefits enrollment and coverage.
In addition to the financial penalty, EyeMEd will implement additional privacy and security measures, has agreed not to misrepresent the extent to which it maintains and protects the privacy, security, and confidentiality of consumer information, and will develop, implement, and maintain a comprehensive information security program. Victims of the data breach will also be provided with 2 years of complimentary credit monitoring services.
“New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” said New Jersey Attorney General Matthew J. Platkin. “This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data.”