EyeMed Vision Care will pay New Jersey, Oregon and Florida a total of $2.5 million to settle an investigation into a 2020 data breach that compromised the personal and medical information of approximately 2.1 million people, New Jersey Attorney General Matthew Platkin announced.[1]
The settlement was one of two state actions involving health care breaches announced in May. In the second settlement, in New York, the state recouped $550,000 from a medical management company for failing to protect New Yorkers’ personal information, including health records.[2]
The multistate investigation into EyeMed found deficiencies in EyeMed’s data security program that contributed to the breach in violation of state consumer protection and personal information laws, along with HIPAA, according to Platkin.
Among other security lapses, several EyeMed employees shared a single password to an email account used to communicate with EyeMed clients. The account contained sensitive consumer information, including information related to vision benefits enrollment and coverage, the settlement said.