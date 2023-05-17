Attorney General Ellen Rosenblum announced a $2.5-million settlement with EyeMed Vision Care (“EyeMed”) that resolves an investigation into a data breach that compromised the personal and medical information of approximately 2.1 million people, including more than 11,000 Oregonians. The $750,000 the state will receive will go to supporting the Department of Justice’s investigative, consumer protection and consumer education efforts.

Oregon co-led with Florida and New Jersey a multistate investigation that found problems in EyeMed’s data security program, which contributed to the breach in violation of state laws and the federal Health Insurance Portability and Accountability Act (“HIPAA”). Pennsylvania also joined in the settlement.

“EyeMed was careless with the most sensitive personal information of over two million consumers, including thousands of Oregonians, and that is simply unacceptable,” said AG Rosenblum. “This settlement is about holding companies like EyeMed accountable and protecting consumers from the harms of identity theft and fraud.”

An unauthorized user gained access to the EyeMed email account in June 2020, exposing approximately six years of personal and medical information, including Social Security numbers, full names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information. After the unauthorized user gained access, approximately 2,000 phishing emails were sent from the compromised email account.

Under the settlement EyeMed has agreed to implement additional privacy and security measures to improve the protection of consumers’ information. These include:

Not misrepresenting the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information;

Continuing to develop, implement, and maintain a written Information Security Program that will comply with applicable laws and regulations;

Continuing to employ an executive or officer who shall be responsible for implementing, maintaining, and monitoring the Information Security Program;

Reporting all data breaches immediately;

Maintaining reasonable policies and procedures governing its collection, use, and retention of patient information; and

Maintaining appropriate controls to manage access to all accounts that receive and transmit sensitive information, including, but not limited to, instituting appropriate authentication measures.

If you were notified that your personal information was exposed in the EyeMed data breach, act immediately to change your passwords, add a security alert to your credit reports and consider placing a security freeze on your credit reports. For more information on these steps, visit www.oregonconsumer.gov.”

For more information on data breaches, visit: https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/. If you’ve been a victim of identity theft, visit: https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/identity-theft/.