EyeMed Vision Care agreed to pay a penalty of $4.5 million as part of a settlement with the New York State Department of Financial Services (NYDFS) for cybersecurity control failures that helped enable a 2020 data breach.

EyeMed did not have proper controls in place when a bad actor gained access to a shared email inbox containing more than six years’ worth of personal information from customers, including minors, the NYDFS alleged. As a result, the company violated the regulator’s cybersecurity regulations, including through its attestations that it was in compliance with the requirements.

“It is critically important that consumers’ non-public information is kept safe from potential criminal activity,” said NYDFS Superintendent Adrienne Harris in a press release Tuesday. “… This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.”

The details: The NYDFS’s investigation found EyeMed failed to implement multi-factor authentication to protect its email activity. The probe further uncovered nine EyeMed employees shared login credentials for the email inbox that contained customer personal data.

The July 2020 breach, believed to be the result of a successful phishing scheme, exposed hundreds of thousands of customers’ personal health data, according to the regulator. The NYDFS criticized EyeMed’s data retention and disposal processes in addition to its alleged email security lapses.

“Had these controls been in place, the [July 2020] cybersecurity event could have been prevented or been limited in scope,” the NYDFS stated.

For the calendar years 2017-20, EyeMed improperly certified compliance with the NYDFS’s cybersecurity regulations, according to the regulator. Its investigation found the company failed to conduct an adequate risk assessment, as required, and that its engaging with third-party vendors to conduct periodic audits of IT controls and enterprise risk management reviews was insufficient to meet the regulations’ standards.

The NYDFS lauded EyeMed for its cooperation and ongoing remediation efforts in its consent order. The company has devoted “significant financial and other resources to enhance its cybersecurity program, including through changes to its policies, procedures, systems, and governance structures,” according to the regulator. EyeMed must conduct a comprehensive cybersecurity risk assessment and develop a detailed action plan to address any risks identified as part of the terms of its settlement.

EyeMed did not respond to a request for comment.