A vision care provider is paying $4.5 million to settle a cybersecurity lawsuit filed by the New York Department of Financial Services related to a 2020 phishing attack that led to the exposure of hundreds of thousands of consumers’ private information.
DFS said in a statement Tuesday that as a result of the attack, a bad actor gained access to a shared mailbox of Columbus, Ohio-based EyeMed Vision Care LLC, a licensed health insurance company, which contained more than six years’ worth. consumer information, including information about minors.
According to the settlement agreement, the breach lasted from June 24, 2020 to July 1, 2020. EyeMed began notifying affected individuals and filing regulatory notices on September 28, 2020, according to the agreement.
The settlement says the company violated New York̵7;s cybersecurity ordinance by delaying the implementation of required multi-factor authentication and failing to conduct a required risk assessment.
It said at the time of the incident, nine EyeMed employees shared login credentials to a mailbox protected only by a weak password.
The agreement says EyeMed has made “ongoing and completed efforts to address the deficiencies” identified in the consent order, and that it will continue to strengthen its cybersecurity controls.
“It is critically important that consumers’ nonpublic information be kept safe from potential criminal activity, and DFS’s first cybersecurity regulation requires New York regulated entities to take that responsibility seriously,” Superintendent of Financial Services Adrienne A. Harris said in a statement.
New York’s cybersecurity ordinance, which went into effect in March 2017, requires insurance companies and other financial institutions to put in place controls to ensure a robust cybersecurity program.
A spokesperson for EyeMed and its attorneys could not be reached for comment.