Last week, the New York Department of Financial Services (“DFS”) announced a $4.5 million settlement with EyeMed Vision Care LLC (“EyeMed”) for violations of DFS’s Cybersecurity Regulation protecting patients’ health data. On July 1, 2020, a phishing attack against EyeMed resulted in a malicious actor gaining access to an email account that contained six years’ of consumers’ non-public information (“NPI”). An investigation revealed that EyeMed had failed to comply with several requirements of the Cybersecurity Regulation, including implementing multi-factor authentication, maintaining secure access controls for their email system, and conducting an adequate risk assessment. In addition to paying the $4.5 million fine, EyeMed agreed to implement remedial measures as part of the settlement.