A vision insurance company at the heart of a data breach that affected thousands of Oregonians has agreed to a $2.5 million settlement, state officials said Wednesday.
Attorney General Ellen Rosenblum said in a news release that Oregon will receive $750,000 on behalf of the 11,000 state residents whose personal information was compromised as part of a breach of EyeMed Vision Care. Nationwide, more than 2 million people in multiple states were affected by the breach.
The company, based in Cincinnati, Ohio, is one of the fastest growing vision insurance companies in the U.S., with 60 million clients, according to its website.
In June 2020, a hacker gained access to the EyeMed email account and obtained about six years of personal information, including Social Security numbers, full names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, medical diagnoses and conditions and treatment information.
The hack led to 2,000 phishing emails which were sent in July 2020. A spokesman for the Attorney General’s office said in an email Wednesday that officials did not investigate how many of those affected have faced identity theft or other problems since the hack.
Oregon, along with officials in Florida, New Jersey and later Pennsylvania, investigated the company’s security system and found problems that contributed to the breach and violations of state and federal privacy laws.
PROTECT YOUR INFORMATION Anytime you’re notified that your personal information might be compromised, immediately change your passwords, add security alerts to your credit reports and consider placing a security freeze on them. For more information, visit www.oregonconsumer.gov.
As part of the settlement, EyeMed has to step up its security. Some of the fixes involve:
Being transparent about its protection of consumer information;Continuing to develop, implement and maintain a written security program that complies with follows the law;Ensuring an executive is responsible for implementing, maintaining and monitoring the security program;Reporting all data breaches immediately;Maintaining controls to manage access to all accounts that receive and transmit sensitive information.
“This settlement is about holding companies like EyeMed accountable and protecting consumers from the harms of identity theft and fraud,” Rosenblum said in the release.
The money will be used to support the Department of Justice’s investigative, consumer protection and consumer education work.
In Oregon, the $750,000 will support the Department of Justice’s investigative, consumer protection and consumer education efforts.
The company has settled with other states as well, including an agreement last January to pay New York $600,000.
Oregon Capital Chronicle
Oregon Capital Chronicle is part of States Newsroom, a network of news bureaus supported by grants and a coalition of donors as a 501c(3) public charity. Oregon Capital Chronicle maintains editorial independence. Contact Editor Lynne Terry for questions: email@example.com. Follow Oregon Capital Chronicle on Facebook and Twitter.