ACTION
EyeMed Vision Care LLC (the “Company”) is licensed by the NY DFS to sell life, accident, and health insurance. On October 18. 2022 the Department of Financial Services entered a Consent Order levying a fine of $4.5 million against EyeMed. Further, the Company was required to strengthen its cybersecurity controls, conduct, and submit a risk assessment, and create an action plan to mitigate the risks identified within the risk assessment.
SECURITY EVENT
An unauthorized individual, (the "Threat Actor"), was able to gain access to EyeMed’s Office 365 environment through a successful phishing campaign enabling the Threat Actor to access a mailbox which was subsequently shared by nine employees who also shared credentials for said mailbox. Multifactor authentication (MFA) was not enforced on the shared mailbox. The Threat Actor was able to access and exfiltrate NPI. As a result, it was also confirmed that EyeMed had not conducted a sufficient Risk Assessment as required by the Regulation and further failed to implement a plan for data minimization and security or limit user access. As a result of the event, the DFS found that EyeMed improperly certified compliance with the regulation.
VIOLATIONS
23 NYCRR § 500.02(b), requires Covered Entities to maintain a cybersecurity program based on the Covered Entity’s Risk Assessment.
23 NYCRR § 500.03, requires Covered Entities to implement and maintain a cybersecurity policy based on the Covered Entity’s Risk Assessment and address information security, access controls and identity management, customer data privacy, and risk assessment.
23 NYCRR § 500.07, requires Covered Entities to limit user access privileges to Information Systems that provide access to Nonpublic Information.
23 NYCRR § 500.09(a), requires Covered Entities to conduct a periodic Risk Assessment of the Covered Entity’s Information Systems, sufficient to inform the design of the cybersecurity program.
23 NYCRR § 500.12(b), requires Covered Entities to implement multi-factor authentication for all users, or reasonably equivalent or more secure access controls approved in writing by the Chief Information Security Officer.
23 NYCRR § 500.13, requires Covered Entities to include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information.
23 NYCRR § 500.17(b), requires Covered Entities to annually certify compliance with the Cybersecurity Regulation.
SUGGESTED ACTION ITEMS
Based on the content of the Regulation along with best practices for cybersecurity, a risk assessment must be performed periodically (at least annually). The results of the risk assessment must be used to prepare and update policies and procedures. A periodic risk assessment will allow the organization to better assess whether they have been able to remediate known risks and to identify new risks for remediation.
Multi-factor authentication should be deployed for all users. The deployment should be designed to enforce and require MFA rather than allowing a user to skip setup or the option to use such.
User accounts should not have shared credentials. It is important to discuss the structure of any shared mailboxes with an IT professional or MSP to confirm that the mailbox is set up for shared access through secure user accounts and not as a separate user account with shared credentials.
All covered entities certifying compliance should be familiar with the Regulation and confirm they have taken the steps necessary to comply with each part of the Regulation applicable to their organization. During a compliance audit or regulatory investigation, the Covered Entity will be subject to a review relative to compliance with all applicable parts of the Regulation.
If you or your organization need help in determining compliance or are unsure if this memo could apply to you, please reach out to Jacki Goralczyk. The DG team is ready and willing to assist you with a review.
Jacki Goralczyk - Partner & Practice Group Leader – Data Privacy & Cybersecurity
jacki@dglawny.com | 518.631.6400 x102
Connect with Jacki on LinkedIn
To read more about Jacki, read her bio www.dglawny.com/jacquelinegoralczyk