Cost of a health insurance security breach? NY watchdogs say it's $4.5m

New York regulators continue turning the screws on organizations with slapdash computer security.

This week, $4.5 million was extracted from vision insurance company EyeMed, which was accused of recklessly leaving hundreds of thousands of people's sensitive health information within reach of intruders.

In addition to coughing up the cash to settle claims it violated New York State's Department of Financial Services' cyber security rules, EyeMed also agreed to improve its network defenses and conduct a comprehensive risk assessment of its IT systems, subject to DFS review and approval.

"It is critically important that consumers' non-public information is kept safe from potential criminal activity," said Superintendent of Financial Services Adrienne A. Harris in announcing the arrangement. 

To put the fines in perspective: EyeMed's parent company Luxottica of America reportedly rakes in annual revenues exceeding $500 million. In other words: don't shed too many tears for the insurer over a $4.5 million check.

The data snafu dates back to 2020 and, according to EyeMed, it's likely the result of one of its people falling for a phish. In July 2020, the vision insurer discovered an intruder had gained access to a shared email account that employees used to process enrolment. Customers' personal information would have been at the snooper's fingertips.

Upon discovering the security breach, EyeMed "immediately" blocked access to the mailbox and hired outside specialists, according to the settlement's paperwork [PDF]. The investigation later revealed that the intrusion ran from around June 24 to July 1, 2020, during which time miscreants read and stole emails and attachments containing consumers' non-public health information, including data concerning minors, dating back six years prior to the cyberattack.

On September 28, 2020, EyeMed started notifying affected individuals, and it reported the breach to New York's DFS on October 9, 2020.

• Store credit card numbers in a debug log, lose millions of accounts. Cost? $1.9m
• Mormon Church IT ransacked, data stolen by 'state-sponsored' cyber-thieves
• Robinhood's crypto unit hit with $30m fine over security, anti-crime misses
• Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks

In its own investigation, the state found the vision insurance company violated cybersecurity regulations by failing to roll out multi-factor authentication (MFA) across its entire email environment. "The delay in MFA implementation left EyeMed's Information Systems and its consumers' NPI vulnerable to threat actors," the settlement paperwork stated.

Additionally, EyeMed should have limited user access privileges to the compromised mailbox and not allowed nine employees to share login credentials, according to DFS. The company also failed to implement sufficient data retention and disposal processes, thus giving the thief access to six-plus years of people's private data.

If the insurer had conducted an adequate risk assessment, as required by the US state's cyber security requirements, it would have identified these security shortcomings, we're told. 

The EyeMed settlement follows several other deals between data-exposing companies and the state of New York. 

Last week, online retailer Zoetop agreed to fork out $1.9 million after account data belonging to 46 million customers was stolen in 2018.

And over the summer, the DFS fined Robinhood's cryptocurrency operations $30 million and Carnival Cruise Lines $5 million for violating New York's cyber security regulations. ®