A Vision insurance company at the center of a data breach that has affected thousands of Oregonians has agreed to a $2.5 million settlement, state officials said Wednesday.
Attorney General Ellen Rosenblum said in a press release that Oregon will receive $750,000 on behalf of the 11,000 citizens whose personal information was compromised as part of an EyeMed Vision Care breach. Nationwide, more than 2 million people in several states were affected by the violation.
Based in Cincinnati, Ohio, the company is one of the fastest growing eye insurance companies in the US with 60 million customers, according to its website.
In June 2020, a hacker hacked into EyeMed’s email account and stole personal information including social security numbers, full names, addresses, dates of birth, phone numbers, email addresses, account/eye insurance ID numbers, for approximately six years and medical data diagnoses and complaints as well as treatment information.
The hack resulted in 2,000 phishing emails being sent in July 2020. A spokesman for the attorney general’s office said in an email Wednesday that officials had not investigated how many of those affected had faced identity theft or other issues since the hack.
Oregon, along with officials in Florida, New Jersey, and later Pennsylvania, examined the company’s security system and found issues that contributed to violations of state and federal privacy laws.
As part of the settlement, EyeMed needs to increase its security. Some of the fixes concern:
ensure transparency in the protection of consumer information; Continue to develop, implement and maintain a written security program that complies with the law; Ensure that a senior manager is responsible for implementing, maintaining and overseeing the safety program; Report any data breaches immediately; Maintaining controls to manage access to all accounts that receive and transmit confidential information.
“This settlement is about holding companies like EyeMed accountable and protecting consumers from the harms of identity theft and fraud,” Rosenblum said in the press release.
The money will be used to support the Department of Justice’s investigative, consumer protection and consumer education work.
In Oregon, the $750,000 will support the Department of Justice’s investigative, consumer protection and consumer education efforts.
The company has also reached settlements with other states, including an agreement to pay New York $600,000 last January.