Warby Parker to Pay $1.5 Million To Resolve HIPAA Violations
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed its first financial penalty under the Trump administration for noncompliance with the HIPAA Rules. Warby Parker, Inc., a manufacturer and online retailer of prescription and non-prescription eyewear, must pay a $1.5 million civil monetary penalty to resolve alleged violations of the HIPAA Rules.
OCR launched an investigation of Warby Parker to assess compliance with the HIPAA Rules after receiving a data breach report in December 2018. Hackers gained access to the accounts of customers between September 25, 2018, and November 30, 2018, via its website in a credential stuffing attack, where usernames and passwords obtained in a data breach at an unrelated entity are used to access accounts. These attacks are made possible by individuals using the same usernames and passwords on multiple platforms.
Warby Parker filed an addendum with OCR on September 18, 2020, updating the initial breach report to 197,986 affected individuals. Data compromised in the incident included names, addresses, email addresses, the last four digits of payment card information stored in the customer’s account, and eyewear prescription information. Warby Parker also filed separate breach reports in September 2019, January 2020, April 2020, and June 2022 about other credential stuffing data breaches affecting a total of 484 individuals.
OCR commenced an investigation on September 16, 2019, and determined that Warby Parker was in violation of multiple provisions of the HIPAA Rules. Warby Parker was found to have failed to conduct an accurate and comprehensive risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), insufficient security measures had been implemented to reduce risks and vulnerabilities to a reasonable and appropriate level, and procedures had not been implemented to regularly review records of information system activity.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
On March 14, 2024, Warby Parker was informed of the findings of the investigation and was given the opportunity to settle the alleged violations informally, but Warby Parker chose not to do so. Warby Parker responded to a Letter of Opportunity to submit evidence of mitigating factors; however, OCR determined that they did not support an affirmative defense and obtained authorization to impose a civil monetary penalty.
OCR was provided with evidence that recognized security practices were in place continuously for the 12 months prior to the data breach; however, OCR determined the submitted evidence did not adequately demonstrate that recognized security practices had been in place for 12 months, so the civil monetary penalty was not reduced. There is no corrective action plan, as OCR cannot compel HIPAA-regulated entities to follow a CAP when imposing a civil monetary penalty. CAPs are only agreed upon when alleged HIPAA violations are settled informally.
“Identifying and addressing potential risks and vulnerabilities to electronic protected health information is necessary for effective cybersecurity and compliance with the HIPAA Security Rule,” said OCR Acting Director Anthony Archeval. “Protecting individuals’ electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”
