New York Department of Financial Services (NYSDFS) Superintendent Adrienne Harris announced EyeMed Vision Care LLC will pay a $4.5 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ sensitive, non-public, personal health data, including data concerning minors.
“It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” Harris said. “This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.”
EyeMed, a licensed health insurance company, collects non-public information from its customers in the normal course of business. The department’s investigation revealed that as a result of a July 1, 2020, phishing attack, a bad actor gained access to a shared EyeMed email mailbox which contained over six years’ worth of consumer non-public information (“NPI”), including that of minors.
Upon further investigation, the department found that, among other things, EyeMed had violated the department’s cybersecurity regulation by failing to implement multi-factor authentication (MFA) throughout its email environment. Moreover, EyeMed failed to limit user access privileges by allowing nine employees to share login credentials to the affected email mailbox and failed to implement sufficient data retention and disposal processes, resulting in over six years’ worth of consumer data being accessible through the affected email mailbox. Had these controls been in place, the July 1, 2020, cybersecurity event could have been prevented or been limited in scope.
In addition, the department discovered EyeMed failed to conduct an adequate risk assessment, a core requirement of the cybersecurity regulation, which could have identified the user access privilege and data disposal risks associated with the email mailbox that was subjected to the phishing attack. As a result, EyeMed’s cybersecurity certifications for the calendar years 2018 through 2021 were improper.
As part of the settlement, EyeMed agreed to undertake significant remedial measures to better secure its data. Among other things, EyeMed will conduct a comprehensive cybersecurity risk assessment and develop a detailed action plan describing how EyeMed will address the risks identified in that assessment. The action plan will be subject to the review and approval of the department.