On January 24, New York Attorney General Letitia James announced a settlement with EyeMed Vision Care LLC based on shortcomings in the company’s data security procedures. The problems were discovered during the state’s investigation of a 2020 data breach that affected 2.1 million people.

EyeMed, owned by Italian eyeware giant Luxottica Group PIVA, provides vision benefits for health insurance companies including Aetna and Tufts Health Plan. EyeMed’s email system was hacked in June 2020, allowing the attacker access to vision and health insurance account and identification numbers, Medicaid and Medicare numbers, driver’s license numbers, and other data. The attacker also sent more than 2,000 phishing emails from the company’s enrollment email account.

EyeMed’s breach notification falsely stated that the hacker’s access was blocked on the same day the company discovered it, rather than a week later as was actually the case. The state’s investigation into the data breach also revealed key areas where EyeMed did not meet the requirements of New York’s General Business Law, including failing to have implemented multi-factor authentication and sufficient password management requirements on the enrollment email account.

AG James said, “EyeMed betrayed trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals.” In addition to the $600,000 fine, the settlement requires EyeMed to modify its policies and procedures and information security program to comply with state law, to implement encryption of customers’ private information, and to permanently delete customer information when there is no reasonable business or legal purpose to retain it.