In 2020, EyeMed Vision Care suffered a **phishing email breach** where hackers accessed a shared inbox used by nine employees for enrollment processing. The compromised email, protected only by a weak password, contained **six years of sensitive customer data**, including personal and potentially financial information. The breach impacted **up to 2.1 million individuals** nationwide, though the class action settlement covered ~692,154 members. Regulatory fines and settlements have cost EyeMed **over $12.6 million**, including a $5M class action payout, $4.5M to New York’s DFS, $600K to the NY AG, and $2.5M to four other states. The company also faced mandatory security upgrades, including **MFA enhancements, password audits, HIPAA risk assessments, and reduced email retention periods**. The breach exposed customers to potential fraud, identity theft, and financial losses, with class members eligible for compensation up to $10,000 for documented damages. EyeMed denied wrongdoing but agreed to settlements to resolve negligence and compliance violation claims.
Source: https://www.bankinfosecurity.com/eyemed-agrees-to-pay-5m-to-settle-email-breach-litigation-a-29659
TPRM report: https://www.rankiteo.com/company/eyemed-vision-care
"id": "eye4802448100725",
"linkid": "eyemed-vision-care",
"type": "Breach",
"date": "6/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2.1 million (nationwide); '
'692,154 (class members); 1.47 '
'million (HHS report); 98,632 '
'(New York residents)',
'industry': 'Healthcare',
'location': 'Ohio, USA',
'name': 'EyeMed Vision Care',
'type': 'Healthcare (Vision Care Benefits Provider)'}],
'attack_vector': 'Phishing (compromised shared email inbox with weak '
'password)',
'customer_advisories': ['Breach notifications (2020)',
'Settlement claims process (up to $10,100 per '
'affected individual)'],
'data_breach': {'data_encryption': 'No (data stored in unencrypted email '
'inbox)',
'data_exfiltration': 'Yes',
'file_types_exposed': ['Emails',
'Attachments (enrollment documents)'],
'number_of_records_exposed': '2.1 million (max estimate)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (6+ years of customer data)',
'type_of_data_compromised': ['Personal Data',
'Enrollment Information',
'Sensitive Customer Records']},
'date_detected': '2020-09',
'date_publicly_disclosed': '2020-09',
'description': 'Vision care benefits firm EyeMed agreed to pay $5 million to '
'settle class action litigation involving a 2020 phishing '
'email data breach. The incident, which exposed sensitive '
'customer data from a shared email inbox, has already cost the '
'company over $12.6 million in regulatory fines and '
'settlements across multiple states. The breach affected up to '
'2.1 million consumers nationwide, with 692,154 class members '
'identified in the settlement. Security improvements mandated '
'include enhanced MFA, password policies, HIPAA risk '
'assessments, and third-party audits.',
'impact': {'brand_reputation_impact': 'High (multiple regulatory actions and '
'class-action lawsuit)',
'data_compromised': ['Personal Data',
'Sensitive Customer Information'],
'financial_loss': '$12.6M+ (regulatory fines, settlements, and '
'litigation costs)',
'identity_theft_risk': 'High (personal data exposed)',
'legal_liabilities': '$12.6M+ (fines: $4.5M NY DFS, $600K NY AG, '
'$2.5M 4-state AG, $5M class-action)',
'systems_affected': ['Shared Employee Email Inbox (enrollment '
'processing)']},
'initial_access_broker': {'entry_point': 'Phishing email (compromised shared '
'inbox)',
'high_value_targets': ['Customer enrollment data',
'PII']},
'investigation_status': 'Closed (settlements finalized; final court hearing '
'on 2026-01-07)',
'lessons_learned': ['Shared inboxes with weak passwords are high-risk targets '
'for phishing.',
'Prolonged data retention increases exposure in breaches.',
'MFA and password policies must be enforced rigorously in '
'healthcare.',
'Regulatory non-compliance (e.g., HIPAA) amplifies '
'financial and reputational damage.'],
'motivation': 'Financial Gain (data exfiltration for fraud/identity theft)',
'post_incident_analysis': {'corrective_actions': ['Enhanced MFA and password '
'policies',
'Third-party HIPAA security '
'risk assessment',
'Reduced email retention '
'periods',
'Mandatory security '
'awareness training',
'Audit mechanisms for weak '
'passwords'],
'root_causes': ['Weak password on shared email '
'inbox',
'Lack of MFA',
'Excessive data retention (6+ '
'years)',
'Inadequate HIPAA compliance (risk '
'assessments)']},
'recommendations': ['Implement strict MFA for all email accounts, especially '
'shared inboxes.',
'Enforce password complexity and rotation policies with '
'audits.',
'Limit data retention periods to minimize breach impact.',
'Conduct regular HIPAA security risk assessments with '
'third-party auditors.',
'Segment networks to isolate sensitive data (e.g., '
'enrollment systems).',
'Train employees on phishing awareness and incident '
'reporting.'],
'references': [{'source': 'Information Security Media Group (ISMG)'},
{'source': 'NY DFS Consent Order (2022-10)'},
{'source': 'NY AG Settlement (2022-01)'},
{'source': '4-State AG Settlement (NJ, FL, PA, OR; 2023-05)'},
{'source': 'HHS Breach Report (2020-09)'}],
'regulatory_compliance': {'fines_imposed': '$12.6M+ ($4.5M NY DFS, $600K NY '
'AG, $2.5M 4-state AG, $5M '
'class-action)',
'legal_actions': ['Class-action lawsuit (settled '
'2026-01-07)',
'NY DFS Consent Order (2022-10)',
'NY AG Settlement (2022-01)',
'4-State AG Settlement (2023-05)'],
'regulations_violated': ['HIPAA',
'California State Laws '
'(e.g., CCPA)',
'New York Financial '
'Services Law (23 NYCRR '
'500)'],
'regulatory_notifications': ['HHS (2020-09)',
'State AGs (NY, NJ, '
'FL, PA, OR)']},
'response': {'communication_strategy': ['Class-action settlement '
'notifications',
'Regulatory disclosures (HHS, state '
'AGs)'],
'containment_measures': ['Shortened email retention period',
'Enhanced MFA',
'Password policy updates'],
'incident_response_plan_activated': 'Yes (post-breach)',
'remediation_measures': ['Security awareness training',
'Audit mechanisms for weak passwords',
'Third-party risk assessment'],
'third_party_assistance': 'Yes (third-party HIPAA security risk '
'assessment)'},
'stakeholder_advisories': ['Class-action settlement notices',
'Regulatory filings (HHS, state AGs)'],
'title': 'EyeMed Email Breach Settlement',
'type': ['Data Breach', 'Phishing', 'Unauthorized Access'],
'vulnerability_exploited': ['Weak Password',
'Lack of MFA',
'Prolonged Email Retention (6+ years)',
'Shared Inbox Access']}