A data breach that exposed the records of over two million clients of Ohio-based healthcare provider EyeMed Vision Care has led to penalties totalling $4.5m for the company. The case highlights the dangers of poor risk assessments and, particularly, failure to use multi-factor authentication (MFA).

EyeMed’s systems were breached when an attacker gained access to an email account shared by nine EyeMed employees in June 2020. That exposed customers’ personal data going back to 2014, and gave the attacker the ability to export that data elsewhere.

Phishing emails

A month after the breach, the attacker used the information gained to send around 2,000 phishing emails to customers, asking for confirmation of credentials. This alerted EyeMed to the breach and the company expelled the attacker from its systems. But it took a further two months to start notifying affected clients, and they were still being contacted in January 2021.

As EyeMed sells insurance services in the state of New York, it comes under the jurisdiction of the New York Department of Financial Services (DFS), which enforces the cybersecurity regulation known as NYCRR 500. It was found that EyeMed had certified compliance with NYCRR 500 for four years running in the late 2010s – but it hadn’t carried out a thorough risk assessment or implemented MFA where necessary.

Multi-factor authentication

NCYRR 500 came into effect in 2018 and contained the express requirement that users trying to access a company network from offsite should be required to use MFA. But EyeMed only began to implement an email system that allowed MFA in 2020.

While the company did hire consultants to carry out risk assessments, none of them sufficiently addressed risks posed by storing customer data on an email drives or using a shared email address to process enrolments.

DFS has praised EyeMed for “commendable cooperation” and taking extensive action to fix its security failures.