In a recent development, federal regulators have imposed a hefty $1.5 million civil monetary penalty on eyeglass maker and retailer Warby Parker for falling victim to credential-stuffing hacks that impacted nearly 200,000 individuals.
The U.S. Department of Health and Human Services’ Office for Civil Rights disclosed that the penalty was enforced in December 2024, under the Biden administration, marking the first HIPAA enforcement action since the onset of the second Donald Trump administration. The regulatory body initiated an investigation into Warby Parker in December 2018 following a HIPAA breach report filed by the company.
According to the report, Warby Parker detected unusual login activity on its website in November 2018, leading to unauthorized third parties gaining access to customer accounts between September and November of that year. The perpetrators used stolen usernames and passwords from other breached websites to carry out the attacks.
Warby Parker later updated the breach report in September 2020, revising the number of affected individuals to 197,986. The compromised data included customer names, addresses, email addresses, payment card details, and eyewear prescription information. Subsequent breach reports were filed by the company in April 2020 and June 2022, detailing similar credential-stuffing incidents affecting fewer than 500 people each time.
During its investigation, HHS OCR identified three violations of the HIPAA Security Rule by Warby Parker. These violations encompassed the failure to conduct a comprehensive risk analysis, inadequate implementation of security measures to protect electronic protected health information (ePHI), and the absence of procedures for regular monitoring of information system activity.
Acting director of HHS OCR, Anthony Archeval, emphasized the importance of addressing risks and vulnerabilities in safeguarding ePHI and ensuring compliance with the Security Rule. He highlighted the necessity for regulated entities to proactively implement security measures to prevent breaches and protect individuals’ health information.
In response to the enforcement action, Warby Parker was notified of the $1.5 million fine in September 2024, following which the company opted out of a hearing and did not contest the agency’s proposed determination. Consequently, HHS OCR proceeded to impose the penalty in December 2024.
Despite the majority of HIPAA enforcement actions leading to settlement agreements and corrective action plans, Warby Parker’s decision not to challenge the penalty raised questions among experts. Regulatory attorney Lily Li suggested that the company’s reluctance to contest the fine may signify concerns about its security practices and a desire to avoid further scrutiny.
Warby Parker refrained from providing immediate comments on the HIPAA fine, underscoring the significance of maintaining robust cybersecurity measures and adhering to regulatory requirements to prevent data breaches and protect sensitive information. As the enforcement of data privacy laws continues to intensify, organizations must prioritize security practices to mitigate the risks associated with cyber threats and safeguard consumer data effectively.