E Point Perfect
Law \ Legal

NYDFS Fines EyeMed $4.5 Million for Cybersecurity Violations


On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.

In the phishing attack, which lasted for several days in June and July 2020, a threat actor gained access to an EyeMed email folder that contained six years’ worth of sensitive, personal health data, including data concerning minors. The NYDFS’s consent order notes that EyeMed’s failure to comply with the Cybersecurity Regulation left EyeMed vulnerable to threat actors. Specifically, the regulator found that EyeMed failed to implement multi-factor authentication in its email systems, did not limit user access privileges to accounts containing sensitive information, and failed to implement sufficient data retention and disposal protocols. According to the consent order, the mailbox containing sensitive consumer information was protected by a weak password that was shared by nine employees. The NYDFS also discovered that EyeMed failed to conduct adequate cybersecurity risk assessments, and as a result, the company’s cybersecurity certifications for the calendar years 2017 through 2020 were “improper.”

As part of the settlement, EyeMed agreed to conduct a comprehensive cybersecurity risk assessment and prepare an action plan that addresses the risks identified in that assessment.


Source link

Related posts

Cheese, Deli Meat and Mushrooms Links to 24 Listeria illnesses

State AG Updates: December 29-January 4, 2023

Federal Privacy Legislation Advances in House

Videos of Another Flood Caused by a Busted Pipe on a Carnival Cruise Ship Go Viral

Are Autonomous Vehicles Safe? NHTSA Releases Murky Data on 2021-2022 AV Crashes

RIP Justice Capaccioli (1931-2022) – LexBlog