EyeMed Will Pay $4.5M Penalty for 2020 Data Breach

EyeMed Vision Care LLC will pay $4.5 million as a penalty for violating the New York State Department of Financial Services (DFS) Cybersecurity Regulation (23 NYCRR Part 500). A DFS investigation found that EyeMed’s “failure to conduct periodic risk assessments, together with failure to implement multi-factor authentication and secure access controls, resulted in cyber breach that exposed New York consumer data.”

Note

• Breaches in the medical vertical are starting to result in multiple fines and settlements – it isn’t just CMS and the US federal government anymore. One thing to note in the wording: “EyeMed had violated its Cybersecurity Regulation by failing to implement multifactor authentication (MFA) throughout its email environment, which was required by the regulation.”
• In addition to failing to implement MFA, they also failed to limit sharing of credentials, data retention and disposal policies, and to conduct adequate risk assessments which would have identified shortfalls in meeting regulatory requirements. The takeaway is make sure that you are not only meeting requirements in your adopted security framework, to include regulatory requirements, but also looking for risks beyond those requirements specific to your environment. Remember to look for updates in both those frameworks. Additionally, monitor for unexpected user behavior. For example, shared credentials could indicate a need for a more appropriate data sharing/collaboration platform.

Read more in

• DFS SUPERINTENDENT HARRIS ANNOUNCES $4.5 MILLION CYBERSECURITY SETTLEMENT WITH EYEMED VISION CARE LLC
• EyeMed Vision Care to Pay $4.5M to NY Over Healthcare Data Breach
• New York fines EyeMed $4.5 million for 2020 email hack, data breach
• Cost of a health insurance security breach? NY watchdogs say it’s $4.5m