How EyeMed got to pay for an issue discovered by a breach

EyeMed is to pay $600,000 to the state of New York to offset possible consequences of poor information security program implementation. The new changes must be implemented within a company within 45 days.

EyeMed got attacked by hackers in 2020, and only months later the company reported about the issue. An employee email was compromised as the violator gained access and distributed phishing emails among addresses from the disclosed book. The information about the enrollment account exposure was concealed, customers were tied to this account, and they received 2,000 phishing emails from the attacker.

The account comprised a bulk of confidential information related to insurance clients.

The compromised data included IDs, driver’s licenses, birth and marriage certificates, Medicaid and Medicare numbers, Social Security numbers, treatment details, financial information.

The incident caused the state to investigate deeper into the breach as the state law violation had been observed.

Not all the New York’s General Business Law requirements were met by the company. EyeMed failed to ensure multi-factor authentication for the affected account. The account could be reached via a web browser and offer the data trove to anyone on the Internet. The password appeared to be inadequate as well comprising only 8 characters, whereas the company’s norm for the privileged account should not be less than 12 characters.

The low level of email account monitoring made “it difficult to investigate security incidents.”

EyeMed used a limited version of Office 365 which also impacted logging capabilities. The company lost track of user activities with emails after 90 days of trial.

According to the state, EyeMed could have moved the data to a more secure place than keeping it in the affected email account during six years.

Besides logging enhancing, access management and authentication implementation, the company is asked to ensure sensitive data encryption. It is also demanded that EyeMed scheduled pen testing and introduced remediation practices into their information security program. The company is now required to delete customer data which is beyond the necessary amount.