EyeMed is an Ohio-based vision insurance provider. It works with companies and individuals looking for insurance.
The breach was unauthorized access to 2.1 million individuals’ non-public information (NPI). The hack lasted a week; in this time, the hacker could access more than six years’ worth of NPI, resulting in widespread panic. The information taken in the initial hack made it possible for the hacker to start another attack less than a month after their first. Notifications were not sent to affected parties until September 2020, three months after the first breach.
The breach occurred when a bad actor gained access to an employee’s email and used that access for personal gain. Not even a month after the initial breach, the hacker used the previously stolen email and sent out thousands of phishing attacks.
This breach occurred in June 2020 and then again in July 2020.
The breach impacts a surprisingly small number of EyeMed customers. The insurers have over 62 million customers, which means that only about three percent of customers were affected by this breach.
The breach affected 2.1 million files. While the number may seem incredibly large, one must remember that many violations have had tens of millions of victims. The biggest data breach in history was a Yahoo! breach that affected 3 billion users.