The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a financial penalty against Warby Parker, Inc. for noncompliance with the HIPAA Rules. This is the first financial penalty issued by OCR under the Trump administration. Warby Parker produces and sells prescription and non-prescription eyeglasses online. A $1.5 million civil monetary penalty must be paid to settle alleged HIPAA Rules violations.
OCR started investigating Warby Parker to evaluate compliance with the HIPAA Rules after getting a breach report in December 2018. Hackers acquired access to customers’ accounts from September 25, 2018, to November 30, 2018, through its website using a credential stuffing attack. The attackers used usernames and passwords obtained from a data breach in an entity not related to Warby Parker and then accessed the accounts. Such attacks tend to be successful because people use similar usernames and passwords on different platforms.
Warby Parker updated its initial breach report by submitting an addendum to OCR on September 18, 2020. A total of 197,986 individuals were affected by the data breach. Customers’ compromised data included the following: names, residential and email addresses, eyewear prescription details, and the last four digits of payment card details. Warby Parker likewise submitted four individual breach reports, one in September 2019, another in January 2020, April 2020, and June 2022 concerning other credential stuffing data breaches impacting 484 people.
On September 16, 2019, OCR started the investigation and confirmed that Warby Parker violated multiple terms of the HIPAA law. Warby Parker didn’t perform a correct and detailed risk analysis to determine risks and vulnerabilities to the integrity, confidentiality, and availability of electronic protected health information (ePHI). It implemented inadequate security measures to minimize risks and vulnerabilities to a reasonable and proper level. It did not use the proper procedures to check records of data system activity regularly.
On March 14, 2024, Warby Parker received the results of the investigation and was instructed to resolve the supposed HIPAA violations informally. However, Warby Parker did not do so. Warby Parker replied to a Letter of Opportunity to send proof of mitigating factors. Upon review, OCR decided that the proof failed to support a positive defense and acquired authorization to enforce a civil monetary penalty.
OCR received proof that acknowledged security practices were set up consistently for one year before the data breach; nevertheless, OCR decided the submitted proof didn’t sufficiently show that acknowledged security practices were in place for a year, hence there was no reduction in civil monetary penalty. No corrective action plan was required since OCR could not force HIPAA-covered entities to adhere to a CAP when enforcing a civil monetary penalty. CAPs are just decided when HIPAA violations are resolved in private.
Determining and dealing with possible risks and vulnerabilities to ePHI is required for efficient cybersecurity and HIPAA certification. Safeguarding individuals’ electronic health data means covered entities must be cautious in using and complying with the Security Law requirements before experiencing a breach.
