EyeMed Reaches $5M Settlement in Email Breach Lawsuit

EyeMed Vision Care, an Ohio-based provider of eye care benefits, has reached a $5 million settlement regarding a phishing email incident from 2020. This breach prompted prior enforcement actions and substantial financial settlements with various state regulators, totaling over $12.6 million in penalties and settlements.

The settlement stipulates that affected class members can receive up to $100 for time lost due to the incident, along with compensation for documented out-of-pocket expenses, capped at $10,000. Remaining funds in the settlement will be distributed as prorated payments estimated at $50 per qualified claimant, depending on the number of submissions.

In addition to financial reparations, EyeMed has committed to implementing improved security protocols. These measures include enhanced authentication processes for network access, updated internal password requirements, expanded employee training for security awareness, and audits aimed at identifying weak passwords. The company will also engage a third-party firm to conduct an updated Health Insurance Portability and Accountability Act (HIPAA) security risk assessment.

Despite the settlement, EyeMed denies any allegations of wrongdoing related to claims of negligence and violations of California state laws, asserting that it acted appropriately in responding to the breach. The legal settlement class is defined as all individuals residing in the U.S. who were notified about the data incident.

Current court documents indicate approximately 692,154 individuals are included in the settlement class. However, this number is notably lower than last reported figures, which suggested that as many as 2.1 million individuals may have been affected by the breach, according to statements made to the U.S. Department of Health and Human Services in 2020.

A final court hearing regarding this class action settlement is scheduled for January 7, 2026. In the earlier breach, attackers compromised a shared email inbox used by nine EyeMed employees. Investigations revealed that this inbox, safeguarded by a weak password, held sensitive customer data dating back six years.

The 2020 phishing incident encapsulates various tactics and techniques identified in the MITRE ATT&CK framework, including initial access through credential phishing, lateral movement due to inadequate security measures, and potential privilege escalation since attackers could exploit inadequate password controls to access sensitive data.

As EyeMed moves forward, the organization’s financial burdens stemming from this incident will likely raise broader concerns among business owners about the critical need for robust cybersecurity measures, particularly in safeguarding against phishing and related threats.