USA: +1 929 473 0077 
Sign in
EyeMed Vision Care, LLC encountered a cybersecurity incident in June 2020, which resulted in unauthorized access of personal and confidential information of about 2.1 million consumers, which included names, addresses, social security numbers, member numbers of health and vision insurance accounts, diagnoses, and treatment of information (Haworth, 2022). Preliminary reports indicated that approximately 98000 of the affected people were state residents.
This data breach elicited legal proceedings, where New York AG’s office accused EyeMed of violating the law for failing to protect the sensitive information of its clients. This led to a lawsuit against EyeMed, where the company was compelled to New York State $600,000 in settlement fees (Haworth, 2022). Apart from the settlement fee, EyeMed was instructed to implement a comprehensive information security model, characterized by practices such as encryption of the sensitive data and performing penetration tests on its system to establish security vulnerabilities of its network system.
The cyber-attack occurred when the attacker accessed the EyeMed email account. During a week-long intrusion, the hacker accessed and subsequently viewed and retrieved emails and attachments dating back to six years. The emails and attachments contained confidential information of the consumers (Haworth, 2022). One month after the first intrusion, the cyber-attacker sent about 2000 phishing emails from the compromised email to the company’s clients, requesting the login credentials of their accounts. Following the detection of this phishing attack, EyeMed blocked the hacker’s access promptly. Three months after the cyber incident, EyeMed began notifying the affected consumers, whose data was compromised during the attack (Haworth, 2022). The cyber-attack exposed the security vulnerabilities of EyeMed’s information security system, highlighting the need to eliminate the loopholes that an intruder exploited.
There are specific measures that EyeMed could have adopted to avert the breach. From my perspective, I think the company should have implemented multi-factor authentication (MFA). The preliminary findings indicate that EyeMed applied a conventional single-factor authentication, which requires users to provide only a single verification factor (password) to access the system (De-Groot, 2021). This made it easy for the hackers to steal the passwords and hack the company’s email account. Implementation of the MFA would have enhanced the robustness of EyeMed’s information system since it supports two or more factors in verifying the user’s identity before granting them access to the account. The adoption of the MFA would have subsequently minimized the chances of phishing attacks, attributing to a reduced possibility of unauthorized access.
Apart from financial losses and legal battles, the data breach has also tainted EyeMed’s brand reputation. The firm needs to implement comprehensive information system security mechanisms and conduct regular penetration tests to enhance its preparedness and prevention against potential cyber-attacks.
