HIPAA violation results in $1.5M civil money penalty

Feb. 24, 2025
Nearly 200,000 patients’ data compromised.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a $1,500,000 civil money penalty against Warby Parker, Inc. due to multiple HIPAA violations.

Warby Parker reported a breach in 2018 “regarding the unauthorized access by one or more third parties to customer accounts,” according to a release. The attackers hacked customers’ accounts “by using usernames and passwords obtained from other, unrelated websites that were presumably breached.” HHS defined this cyber incident as a “credential stuffing.” Nearly 200,000 patients’ data was compromised due to the attack. Stolen information included addresses, prescription information, names, emails, and payment information. Similar attacks happened in 2020 and 2022 also.

Multiple HIPAA violations were discovered during OCR’s investigation, including “a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity.”

OCR posted guidelines for preventing healthcare cyberattacks in the press release

ID 175151352 © Andrii Zastrozhnov | Dreamstime.com
dreamstime_xxl_175151352
ID 59932068 © Monkey Business Images | Dreamstime.com
dreamstime_xxl_59932068
ID 209680455 © Transversospinales | Dreamstime.com
dreamstime_xxl_209680455
ID 102625232 © Vitali Michkou | Dreamstime.com
dreamstime_xxl_102625232