In Short

Eye insurance company agrees to $2.5 million settlement in 2020 data breach

Attorney General Ellen Rosenblum.

Attorney General Ellen Rosenblum announced a lawsuit filed against 21 companies alleging environmental contamination from chemical products on Wednesday, May 31, 2023. (Courtesy of Ellen Rosenblum)

A vision insurance company at the heart of a data breach that affected thousands of Oregonians has agreed to a $2.5 million settlement, state officials said Wednesday.

Attorney General Ellen Rosenblum said in a news release that Oregon will receive $750,000 on behalf of the 11,000 state residents whose personal information was compromised as part of a breach of EyeMed Vision Care. Nationwide, more than 2 million people in multiple states were affected by the breach.

The company, based in Cincinnati, Ohio, is one of the fastest growing vision insurance companies in the U.S., with 60 million clients, according to its website. 

Protect your information 

Anytime you’re notified that your personal information might be compromised, immediately change your passwords, add security alerts to your credit reports and consider placing a security freeze on them. For more information, visit

In June 2020, a hacker gained access to the EyeMed email account and obtained about six years of personal information, including Social Security numbers, full names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, medical diagnoses and conditions and treatment information.

The hack led to 2,000 phishing emails which were sent in July 2020. A spokesman for the Attorney General’s office said in an email Wednesday that officials did not investigate how many of those affected have faced identity theft or other problems since the hack.

Oregon, along with officials in Florida, New Jersey and later Pennsylvania, investigated the company’s security system and found problems that contributed to the breach and violations of state and federal privacy laws. 

As part of the settlement, EyeMed has to step up its security. Some of the fixes involve:

  • Being transparent about its protection of consumer information;
  • Continuing to develop, implement and maintain a written security program that complies with follows the law;
  • Ensuring an executive is responsible for implementing, maintaining and monitoring the security program;
  • Reporting all data breaches immediately;
  • Maintaining controls to manage access to all accounts that receive and transmit sensitive information.

“This settlement is about holding companies like EyeMed accountable and protecting consumers from the harms of identity theft and fraud,” Rosenblum said in the release.

The money will be used to support the Department of Justice’s investigative, consumer protection and consumer education work.

In Oregon, the $750,000 will support the Department of Justice’s investigative, consumer protection and consumer education efforts.

The company has settled with other states as well, including an agreement last January to pay New York $600,000.



Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site.

Oregon Capital Chronicle Staff
Oregon Capital Chronicle Staff

The Oregon Capital Chronicle was launched in October 2021 as part of the States Newsroom, a 501c3 nonprofit that has newsrooms across the country covering state politics, agencies and legislatures. None has a paywall and none takes corporate dollars or ads. We thrive entirely on public donations. In Oregon, Lynne Terry is editor-in-chief, Julia Shumway is senior reporter and Alex Baumhardt and Ben Botkin are staff reporters.