EyeMed Vision Care has agreed to pay $5 million to settle a class action lawsuit stemming from a June 2020 data breach.  The data breach was identified by EyeMed Vision Care on July 1, 2025, when suspicious activity was observed in an employee’s email account. An employee had responded to a phishing email, allowing their email account to be accessed on June 24, 2020. Between June 24, 2020, and July 1, 2020, the threat actor used the account to send around 2,000 phishing emails.

The investigation revealed the account contained emails dating back 6 years. Those emails included the personal and protected health information of 2.1 million individuals. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information.

The first class action lawsuit in response to the data breach was filed in January 2021 by plaintiff Chandra Tate, which was followed by a second class action lawsuit around a week later. The two lawsuits were consolidated – Tate, et al. v. EyeMed Vision Care, LLC – as they had overlapping claims. The lawsuits asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of California’s unfair competition law, the California Confidentiality of Medical Information Act, and the California Consumer Privacy Act.

EyeMed Vision Care filed a motion to dismiss; however, only the negligence claim was dismissed, and all other claims were allowed to proceed. EyeMed Vision Care denies all claims and contentions in the lawsuit, maintains there was no wrongdoing, and denies that it has any liability; however, it has agreed to settle the lawsuit to avoid the costs, risks, and uncertainty of continuing with the litigation.

In June 2024, all parties engaged in mediation, and a settlement was ultimately agreed upon that was acceptable to all parties. The settlement has now received preliminary approval from Judge Douglas R. Cole of the U.S. District Court for the Southern District of Ohio, Western Division. Under the terms of the settlement, EyeMed Vision Care will establish a $5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards. The remainder of the settlement fund will be used to pay benefits to the class members.

Class members may choose to receive a $50 cash payment, which may be increased or decreased depending on the number of valid claims received.  In addition, a claim may be submitted for up to four hours of lost time at $25 per hour (max $100) for time spent dealing with issues associated with the data breach. A claim may also be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses due to the data breach, up to a maximum of $10,000 per class member, including any claim for lost time. Claims are subject to a pro rata reduction should the $5,000,000 cap on payments be reached.

EyeMed has also agreed to make changes to its business practices, including enhancing authorization requirements, providing additional security awareness training to the workforce, updating its internal password reset requirements, conducting audits for weak passwords, enhancing its multifactor authentication requirements, shortening the mailbox data retention period, and engaging a third-party vendor to conduct an updated HIPAA risk assessment. Individuals wishing to object to or exclude themselves from the settlement must do so by November 11, 2025. The deadline for submitting a claim is December 11, 2025, and the final fairness hearing has been scheduled for January 7, 2026.

This was not the only EyeMed Vision Care settlement to be reached over the data breach. In January 2022, the New York Attorney General announced that EyeMed Vision Care had agreed to pay a $600,000 fine to resolve alleged violations of New York General Business Law, and later that year, the New York State Department of Financial Services (DFS) fined EyeMed Vision Care $4.5 million for alleged violations of the DFS Cybersecurity Regulation. In 2023, a multi-state data breach investigation involving the Oregon, New Jersey, Florida, and Pennsylvania Attorneys General was settled with a $2.5 million penalty. This $5 million class action settlement takes the settlement total up to $12,600,000.

The post EyeMed Vision Care Agrees to Pay $5 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.