The New York Department of Financial Services has assessed a fine of $4.5 million to a company for violating its cybersecurity regulations after an employee of the company was victimized by a phishing attack, which exposed non-public personal health data of hundreds of thousands of individuals, including minors.
A copy of the consent order, entered into with EyeMed Vision Care, can be accessed by clicking here.
The company may be a licensed health insurance company, but its failure to implement multi-factor authentication throughout its email environment, which contributed to the data breach, is something that all companies — including those in the accounts receivable management industry — should be aware of and ensuring compliance with.
Nine different employees shared login credentials to the account that was compromised, and the company failed to implement sufficient data retention and disposal policies, leading to six years’ worth of data being accessible through the email account. Had the proper controls been put in place, the data breach could have been prevented or much more limited, the DFS alleged.
The DFS also found that EyeMed failed to conduct an adequate risk assessment — a core requirement of its cybersecurity regulation — which would have likely identified the shared access and failed disposal risks.
“It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” said DFS Superintendent Adrienne A. Harris, in a statement. “This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.”
Separately, the Massachusetts Division of Banks yesterday released a bulletin on how individuals an spot a phishing attack.