About the EyeMed Vision Care Settlement
EyeMed Vision Care has reached a $5 million settlement agreement over claims it failed to implement adequate data security measures.
The settlement resolves allegations stemming from an alleged June 2020 data breach that exposed the sensitive personal and medical information of up to 2.1 million vision insurance customers.
The breach allegedly occurred when an unauthorized third party gained access to employee email accounts through a phishing attack, potentially compromising years of stored customer data.
What Happened in the June 2020 Data Incident?
On June 24, 2020, an EyeMed employee reportedly fell victim to a sophisticated phishing email attack after allegedly and inadvertently providing access credentials to cybercriminals.
Slow response to breach
Plantiffs say the unauthorized access continued for seven days until July 1, 2020, when EyeMed's security team detected suspicious activity in the company’s email account server.
During this window, class plaintiffs say that threat actors sent approximately 2,000 phishing emails from the breached account and potentially accessed six years' worth of stored customer data.
Hacked account allegedly shared among employees
An investigation later revealed that the compromised employee email account served as a shared mailbox used by nine EyeMed staff members for enrollment processing.
This account contained extensive customer information dating back to 2014, protected only by what New York State's Department of Financial Services later described as "a weak password."
While EyeMed denies any wrongdoing and maintains that it implemented reasonable security measures, the company agreed to pay $5 million to settle the class action lawsuit brought by affected customers in Tate v. EyeMed Vision Care LLC.
Personal Information Exposed in the Vision Care Privacy Breach
The scope of exposed data in this healthcare information lawsuit allegedly compromised medical and insurance records:
- Full names and complete contact information
- Dates of birth and Social Security numbers
- Health insurance account numbers and identification codes
- Medical diagnoses and treatment information
- Medicaid and Medicare identification numbers
- Driver's license numbers and other government-issued IDs
Plaintiffs argue that the combination of personal, financial, and medical data poses a significant risk of identity theft, insurance fraud, and medical identity theft, making comprehensive settlement benefits particularly important for affected individuals.
Cybersecurity Improvements Required by Settlement
As part of the settlement agreement, EyeMed Vision Care has agreed to implement substantial cybersecurity enhancements to prevent future data breaches.
Improved servers and employee training
EyeMed will enhance network authorization requirements, ensuring stricter controls over who can access sensitive customer data. All EyeMed employees are also now required to complete mandatory security awareness training, with regular reminders about password complexity requirements.
Better password protection
Additionally, the company has updated its internal password reset procedures and implemented auditing mechanisms to identify and eliminate weak passwords across its systems.
EyeMed will also upgrade its multi-factor authentication protocols, making it significantly harder for unauthorized users to access accounts even with stolen credentials.
Who Can Possibly File an EyeMed Settlement Claim
Individuals must meet specific criteria established by the court to participate in this settlement:
- Must be a U.S. resident.
- Must have had personal information stored in the EyeMed Vision Care servers.
- Must obtain a class member ID from the settlement administrator.
Some class members may have received an official data breach notification letter from EyeMed regarding the incident that occurred in June 2020. Breach notices may contain a unique class member ID that serves as a key to participating in the settlement.
However, not receiving a breach notice doesn't disqualify EyeMed clients from possibly filing a claim.
How to verify eligibility
Several resources exist to help customers in doubt obtain an EyeMed class member ID and confirm their eligibility status:
- Contact Kroll Settlement Administration directly at (833) 621-8389 to obtain an ID number.
- Visit www.eyemeddatasettlement.com and attempt to log in with any information you may have received.
- Review your vision insurance records to confirm you were an EyeMed client during or before June 2020
Settlement administrators can search their records using names and addresses to determine if the customer is included in the class, even if they never received a breach notification.
Proposed EyeMed Settlement Compensation Structure
The most substantial compensation potentially available covers actual monetary losses directly attributable to the data breach. Eligible expenses must have incurred on or after June 24, 2020, and can include:
- Unreimbursed losses from fraud or identity theft directly linked to the exposed data.
- Professional fees paid to attorneys, accountants, or credit repair services.
- Costs for credit monitoring services purchased after the breach.
- Fees associated with freezing or unfreezing credit reports.
- Bank charges for replacing compromised cards or closing fraudulent accounts.
- Transportation expenses for trips to financial institutions to address fraud.
- Miscellaneous costs, such as notary fees, postage, copying, and long-distance phone charges.
Documentation requirements include receipts, bank statements, invoices, or other proof showing the expenses resulted from the breach and haven't been reimbursed elsewhere.
Lost time agreement
Recognizing that dealing with a data breach consumes valuable time, the settlement provides possible compensation at $25 per hour for up to four hours spent addressing breach-related issues.
This $100 maximum can cover time spent:
- Reviewing bank and credit card statements for fraudulent charges.
- Enrolling in credit monitoring or identity protection services.
- Communicating with financial institutions about compromised accounts.
- Filing police reports or completing identity theft affidavits.
- Changing passwords and securing online accounts.
Claimants must attest that the time claimed was actually spent responding to the data incident, but detailed time logs aren't required.
Possible pro rata cash payment
Every eligible class member who submits a valid claim can potentially receive an equal share of the remaining settlement funds after the settlement administrator pays all benefits.
Attorneys for the plaintiffs estimate this payment may be approximately $50 per person, though the final amount depends on several factors.
How to Submit Your EyeMed Data Breach Claim
Online claim submission
- Navigate to www.eyemeddatasettlement.com.
- Click on "File a Claim" or "Submit Claim Form"
- Enter the unique class member ID.
- Complete all required fields with accurate information.
- Upload supporting documentation for any expense reimbursement claims.
- Review submission for completeness and accuracy.
- Submit the claim and save the confirmation number.
Digital uploads of receipts, statements, and other proof can be attached directly to the claim, streamlining the review process.
Mail-in claim Option
- Download and print the PDF claim form from or call (833) 621-8389 to request one by mail.
- Fill out all sections completely using blue or black ink.
- Make copies of all supporting documentation.
- Include the class member ID on every page.
- Mail completed claim package to: Tate v EyeMed Vision Care LLC c/o Kroll Settlement Administration LLC P.O. Box 225391 New York, NY 10150-5391
Remember that mailed claims must be postmarked by December 11, 2025. Consider sending via certified mail to ensure delivery confirmation.
Important Dates and Deadlines
- December 11, 2025: Final deadline to submit claims (postmark date for mailed claims).
- January 7, 2026: Final Fairness Hearing at 1:00 p.m. ET.
- Spring 2026: Estimated payment distribution (60+ days after final approval, pending appeals).
Missing the claim deadline means forfeiting the right to participate, regardless of your losses or eligibility status.
Learn more about this settlement
Visit https://www.eyemeddatasettlement.com to check eligibility, obtain a class member ID, or learn more about the lawsuit.
Add Comment