New York’s Department of Financial Services announced a $4.5 million settlement with EyeMed Vision Care for a 2020 email hack and data breach. (Photo by Kevork Djansezian/Getty Images)
The state of New York has slapped EyeMed Vision Care with yet another fine over its massive 2020 email hack and healthcare data breach. This time the vision benefits company will pay a $4.5 million penalty for multiple security violations that “contributed to” the data exposure.
The state’s investigation into the insurer found “EyeMed’s lack of compliant cybersecurity risk assessment to evaluate and address the risks to its information systems and non-public information stored on its networks left EyeMed vulnerable to threat actors, including the threat actor who initiated the cyber event,” according to the report.
The settlement was announced as part of New York’s Department of Financial Services’ cybersecurity regulation that mandates a set of responsible security standards for businesses. Drawn into effect in March 2017, it “served as a model for other regulators,” including the FTC, multiple states, and other security models.
The law includes standards for industry compliance, consumer data protection, cybersecurity controls, and timely reporting of cybersecurity events. The DFS investigation into EyeMed found multiple violations of these requirements.
“It is critically important that consumers’ non-public information is kept safe from potential criminal activity,” Superintendent of Financial Services Adrienne A. Harris said in the release. “This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from