OCR: Warby Parker to pay $1.5M penalty for violating HIPAA

The HHS Office for Civil Rights announced a $1.5 million fine against Warby Parker as a penalty for violating HIPAA. OCR issued the civil money penalty against the eyewear manufacturer and online retailer following an investigation into a 2018 data breach that impacted nearly 200,000 individuals and revealed several potential HIPAA Security Rule violations.

OCR said it launched the investigation in December 2018 after it received a breach report from Warby Parker detailing an incident that took place between Sept. 25, 2018, and Nov. 30, 2018, in which unauthorized third parties gained access to Warby Parker customer accounts.

The unauthorized parties were able to gain access to these accounts via credential stuffing. Credential stuffing is the practice of cyberthreat actors using usernames and passwords that were compromised in other data breaches to gain access to accounts with the same passwords.

Credential stuffing is a popular cyberthreat tactic and was notably used against genetic testing company 23andMe in October 2023 to perpetrate a data breach that impacted 6.9 million individuals. It is an effective tactic because cyberthreat actors can use stolen login information while evading many threat detection systems.

The electronic protected health information (ePHI) potentially compromised in the Warby Parker data breach included eyewear prescription information, payment card information, names, mailing addresses and email addresses.

In addition to the 2018 breach report, Warby Parker filed two subsequent breach reports detailing similar attacks in April 2020 and June 2022, respectively, that each affected less than 500 individuals.

"OCR's investigation found evidence of three violations of the HIPAA Security Rule, including a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker's systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity," OCR stated.

OCR imposed the civil money penalty in December 2024 under former director Melanie Fontes Rainer to resolve the alleged violations, and Warby Parker waived its right to a hearing.

"Identifying and addressing potential risks and vulnerabilities to electronic protected health information is necessary for effective cybersecurity and compliance with the HIPAA Security Rule," Anthony Archeval, OCR's acting director, said in a February press release.

"Protecting individuals' electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.