HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

EyeMed agrees to $5 million settlement over 2020 data breach

Written by Tshedimoso Makhene | Oct 13, 2025 8:45:31 PM

In a class action settlement, EyeMed Vision Care has committed to a $5 million fund to resolve claims arising from a June 2020 data breach that exposed sensitive personal and health information of its customers.

 

What happened

According to the settlement terms, EyeMed (a major vision-benefits provider) agreed to pay $5 million to settle allegations that it failed to sufficiently safeguard consumers’ personal data, thereby allowing unauthorized access by a third party. The plaintiffs maintain that the breach exposed names, contact information, dates of birth, health insurance account numbers, Medicare/Medicaid identifiers, driver’s license or other government ID numbers, and other personal or health‐related data. 

 

The backstory 

In June 2020, EyeMed Vision Care experienced a breach impacting approximately 2.1 million patients, when an unauthorized actor gained access to an employee email account. The account contained six years’ worth of sensitive personal health information (PHI), including names, contact information, dates of birth, Social Security numbers, vision insurance account/identification numbers, medical diagnoses, and coverage or treatment-related data. After gaining access, the attacker leveraged that email account to send out roughly 2,000 phishing emails.

Go deeper: EyeMed fined $600k for email data breach

 

Going deeper 

According to the Claim Depot, those eligible (i.e. U.S. residents who received a notice of the incident) may file claims by December 11, 2025, for reimbursement via one or more of these categories:

  • A pro rata cash payment
  • Compensation for “lost time” 
  • Reimbursement for out‐of-pocket losses for fraud, identity theft, credit monitoring, freezing credit, etc. 

Additionally, EyeMed has committed to bolstering its cybersecurity practices: enhanced security training, stronger password policies, adoption of multi-factor authentication, reduced retention times for affected mailboxes, and a new risk assessment. 

A fairness hearing is scheduled for January 7, 2026, and payments will be distributed about 60 days after final court approval and resolution of any appeals.

 

By the numbers 

Eligible class members may file a claim to receive one or more of the following:

  • Pro rata cash payment: Reimbursement of approximately $50, with the final amount determined by the settlement administrator based on the total number of claims submitted.
  • Compensation for lost time: Reimbursement for up to four hours spent addressing issues related to the data breach, calculated at $25 per hour, for a maximum of $100.
  • Out-of-pocket expenses: Reimbursement of up to $10,000 for actual, unreimbursed expenses directly resulting from the breach. This may include costs associated with fraud or identity theft, professional services, credit monitoring, freezing or unfreezing credit, and other reasonable expenses linked to the incident.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

 

FAQS

How do I file a claim?

Claims must be submitted through the official settlement website or via the settlement administrator using the forms provided. Supporting documentation may be required for out-of-pocket expenses.

 

Can I opt out of the settlement if I want to sue separately?

Yes. Class members who do not wish to be bound by the settlement must formally opt out by the specified deadline.
View full post