"EyeMed Fined $600k Over Data Breach"
An Ohio-based healthcare provider has been fined $600k over a data breach that exposed the records of 2.1 million patients across America. Adversaries targeted EyeMed Vision Care in June 2020. Attackers gained access to an EyeMed email account to which EyeMed clients sent sensitive consumer data relating to vision benefits enrollment and coverage. During the week-long intrusion, the adversaries were able to view emails and attachments dating back six years. Contained within those emails and attachments was sensitive information that included consumers’ names, addresses, social security numbers, and insurance account numbers. In July 2020, the adversaries used the compromised EyeMed account to launch a phishing attack against EyeMed clients. Approximately 2,000 emails were sent asking clients for their EyeMed account login credentials. The Office of the Attorney General recently determined that the affected email account had not been secured with multi-factor authentication at the time of the attack, despite being accessible via a web browser. The Office of the Attorney General also recently determined that EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account and failed to maintain adequate logging of its email accounts.