EyeMed Fined $600k Over Data Breach
An Ohio-based healthcare provider has been fined $600k over a data breach that exposed the records of 2.1 million patients across America.
Cyber-criminals targeted EyeMed Vision Care in June 2020. Attackers gained access to an EyeMed email account to which EyeMed clients sent sensitive consumer data relating to vision benefits enrollment and coverage.
During the week-long intrusion, threat actors were able to view emails and attachments dating back six years. Contained within those emails and attachments was sensitive information that included consumers’ names, addresses, Social Security numbers and insurance account numbers.
In July 2020, the attackers used the compromised EyeMed account to launch a phishing attack against EyeMed clients. Approximately 2,000 emails were sent asking clients for their EyeMed account login credentials.
The healthcare provider’s IT department became aware of the phishing campaign when they started receiving emails from concerned clients who the attackers had targeted. EyeMed subsequently secured the compromised email account and launched an investigation.
The Office of the Attorney General determined that the affected email account had not been secured with multi-factor authentication at the time of the attack, despite being accessible via a web browser.
It was further determined that EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account and failed to maintain adequate logging of its email accounts.
On Monday, New York Attorney General Letitia James announced that EyeMed had agreed to pay the State of New York $600k to resolve the 2020 data breach.
“New Yorkers should have every assurance that their personal health information will remain private and protected,” said attorney general James.
“EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals.”
The data breach impacted 98,632 residents of New York. James said she wanted the agreement to signal New York’s continued commitment to holding companies accountable.
“My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information,” she added.
EyeMed Fined $600k Over Data Breach
An Ohio-based healthcare provider has been fined $600k over a data breach that exposed the records of 2.1 million patients across America.
Cyber-criminals targeted EyeMed Vision Care in June 2020. Attackers gained access to an EyeMed email account to which EyeMed clients sent sensitive consumer data relating to vision benefits enrollment and coverage.
During the week-long intrusion, threat actors were able to view emails and attachments dating back six years. Contained within those emails and attachments was sensitive information that included consumers’ names, addresses, Social Security numbers and insurance account numbers.
In July 2020, the attackers used the compromised EyeMed account to launch a phishing attack against EyeMed clients. Approximately 2,000 emails were sent asking clients for their EyeMed account login credentials.
The healthcare provider’s IT department became aware of the phishing campaign when they started receiving emails from concerned clients who the attackers had targeted. EyeMed subsequently secured the compromised email account and launched an investigation.
The Office of the Attorney General determined that the affected email account had not been secured with multi-factor authentication at the time of the attack, despite being accessible via a web browser.
It was further determined that EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account and failed to maintain adequate logging of its email accounts.
On Monday, New York Attorney General Letitia James announced that EyeMed had agreed to pay the State of New York $600k to resolve the 2020 data breach.
“New Yorkers should have every assurance that their personal health information will remain private and protected,” said attorney general James.
“EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals.”
The data breach impacted 98,632 residents of New York. James said she wanted the agreement to signal New York’s continued commitment to holding companies accountable.
“My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information,” she added.
More Stories
UK police reveal they are running fake DDoS-for-hire sites to collect details on cybercriminals
There's bad news if you're someone who is keen to launch a Distributed Denial-of-Service (DDoS) attack to boot a website...
Microsoft Fixes Security Flaw in Windows Screenshot Tools
Information disclosure vulnerability aCropalypse could enable malicious actors to recover sections of screenshots Read More
Three Variants of IcedID Malware Discovered
The new variants hint that considerable effort is going into the future of IcedID and its codebase Read More
New MacStealer Targets Catalina, Newer MacOS Versions
The malware can extract information from documents, browser cookies and login information Read More
Can zero trust be saved?
Graham Cluley Security News is sponsored this week by the folks at Kolide. Thanks to the great team there for...
Part of Twitter source code leaked on GitHub
Part of Twitter’s source code has been leaked and posted on GitHub by an unknown user. GitHub took down the...