Attorney General Ellen Rosenblum announced a $2.5-million 4-state settlement with EyeMed Vision Care (“EyeMed”) that resolves an investigation into a data breach that compromised the personal and medical information of approximately 2.1 million people, including more than 11,000 Oregonians. The $750,000 Oregon will receive will go to supporting the state’s consumer protection and education efforts.

The multi-state investigation found problems in EyeMed’s data security program, which contributed to the breach in violation of state laws and the federal Health Insurance Portability and Accountability Act (“HIPAA”).

“EyeMed was careless with the most sensitive personal information of over two million consumers, including thousands of Oregonians,” said AG Rosenblum. “This settlement sends the message we will hold healthcare companies that obtain our private information, like EyeMed, accountable — and protect consumers from the harms of identity theft and fraud.”

An unauthorized user gained access to the EyeMed email account in June 2020, exposing approximately six years of personal and medical information, including Social Security numbers, full names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information. After the unauthorized user gained access, approximately 2,000 phishing emails were sent from the compromised email account.

Under the settlement EyeMed has agreed to implement additional privacy and security measures to improve the protection of consumers’ information. These include:

1. Not misrepresenting the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information;
2. Continuing to develop, implement, and maintain a written Information Security Program that will comply with applicable laws and regulations;
3. Continuing to employ an executive or officer who shall be responsible for implementing, maintaining, and monitoring the Information Security Program;
4. Reporting all data breaches immediately;
5. Maintaining reasonable policies and procedures governing its collection, use, and retention of patient information; and
6. Maintaining appropriate controls to manage access to all accounts that receive and transmit sensitive information, including, but not limited to, instituting appropriate authentication measures.

If your personal information was exposed in the EyeMed data breach, you should change your passwords, add a security alert to your credit reports and consider placing a security freeze on your credit reports. For more information on these steps, visit www.oregonconsumer.gov.”

While this settlement with the states of Oregon, New Jersey, Florida, and Pennsylvania does not include personal restitution, there is a pending private class action lawsuit.

For more information on data breaches, visit: https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/. If you’ve been a victim of identity theft, visit: https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/identity-theft/.