Oregon gets $750,000 in EyeMed data breach settlement

A $2.5-million four-state settlement has been reached with EyeMed Vision Care over a data breach that compromised the personal and medical information of about 2.1 million people, including more than 11,000 Oregonians.

Oregon received $750,000 of that $2.5 million, according to Attorney General Ellen Rosenblum's office. The state will use the money on consumer protection and education efforts.

An investigation into EyeMed found issues with its data security program. It contributed to the breach that violated state laws and the federal Health Insurance Portability and Accountability Act (“HIPAA”).

“EyeMed was careless with the most sensitive personal information of over two million consumers, including thousands of Oregonians,” Rosenblum said in a press release. “This settlement sends the message we will hold healthcare companies that obtain our private information, like Eye-Med, accountable — and protect consumers from the harms of identity theft and fraud.”

An unauthorized user accessed the EyeMed email account in June 2020, exposing about six years of, “personal and medical information, including Social Security numbers, full names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information,” according to the release.

After that user accessed the account, they sent out about 2,000 fishing emails.

As a condition of the settlement, EyeMed agreed to implement further security measures to better protect consumers’ information.

Here are the measures EyeMed agreed to take, according to the release:

Not misrepresenting the extent to which it maintains and protects the privacy, security or confidentiality of consumer information;Continuing to develop, implement and maintain a written Information Security Program that will comply with applicable laws and regulations;Continuing to employ an executive or officer who shall be responsible for implementing, maintaining and monitoring the Information Security Program;Reporting all data breaches immediately;Maintaining reasonable policies and procedures governing its collection, use and retention of patient information; andMaintaining appropriate controls to manage access to all accounts that receive and transmit sensitive information, including, but not limited to, instituting appropriate authentication measures.

Those who had their personal information exposed in the EyeMed data breach are urged to change their passwords, according to the release. Additionally, the state recommends that people add a security alert to their credit reports and consider putting a security freeze on credit reports.

If you are an Oregon resident who has been a victim of identity theft, the Attorney’s General office recommends you visit https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/identity-theft/.