HHS OCR Imposes $1.5 Million Penalty on Warby Parker in Wake of Cyberattack

The HHS Office for Civil Rights (OCR) today imposed a $1,500,000 civil money penalty against Warby Parker concerning “violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of a breach report regarding the unauthorized access by one or more third parties to customer accounts.”

In December 2018, “OCR initiated an investigation following receipt of a breach report filed by Warby Parker. The report stated that in November 2018, Warby Parker became aware of unusual attempted log-in activity on its website.” The company reported that “between September 25, 2018, and November 30, 2018, unauthorized third parties gained access to Warby Parker customer accounts by using usernames and passwords obtained from other, unrelated websites that were presumably breached.” In September 2020, they said that 197,986 individuals had been affected.

The compromised electronic personal health information (ePHI) included “customer names, mailing addresses, email addresses, certain payment card information, and eyewear prescription information. Warby Parker also filed subsequent breach reports (each breach report affecting fewer than 500 persons) in April 2020, and June 2022, following similar attacks.”

OCR found three violations of the HIPAA Security Rule through its investigation, “including a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity.”