AGs Settle with EyeMed for $2.5 Million after Allegedly Lax Data Security Lead to Data Breach

  • The AGs of Oregon, New Jersey, Florida, and Pennsylvania settled with EyeMed Vision Care LLC to resolve allegations that the company violated state consumer protection and personal information protection laws, as well as the federal Health Insurance Portability and Accountability Act (HIPAA), by improperly securing consumer health data that was subsequently compromised in a data breach.
  • According to the settlement, EyeMed allegedly failed to properly safeguard consumer personal information (PI) and personal health information (PHI) in its email accounts, which led to unauthorized access of the PI and PHI of approximately 2.1 million consumers.
  • Under the terms of the settlement, EyeMed must pay $2.5 million to the states and must implement adequate security measures.