Warby Parker Faces $1.5 Million Civil Penalty for HIPAA Violations in Cybersecurity Breach Investigation

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $1.5 million civil money penalty on Warby Parker, Inc., an eyewear manufacturer and online retailer, for violations of the HIPAA Security Rule. The penalty follows an investigation into a data breach caused by unauthorized access to customer accounts by third parties.

HIPAA Security Rule and Compliance Requirements

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which require health plans, health care providers, and business associates to safeguard protected health information (PHI). The HIPAA Security Rule sets national standards for protecting electronic PHI (ePHI) by requiring appropriate administrative, physical, and technical safeguards to maintain its confidentiality, integrity, and security.

“Proactively identifying and addressing cybersecurity risks is essential for HIPAA compliance,” said OCR Acting Director Anthony Archeval. “Covered entities must ensure they meet Security Rule requirements before a breach occurs.”

Timeline of the Investigation

• December 2018 – OCR launched an investigation following Warby Parker’s breach report.
• November 2018 – Warby Parker detected unusual login activity on its website, which was later identified as a credential stuffing attack, where cybercriminals used stolen credentials from unrelated websites to gain access to customer accounts.
• September–November 2018 – Hackers accessed sensitive customer data, affecting 197,986 individuals. The compromised ePHI included:
  • Names
  • Mailing and email addresses
  • Certain payment card details
  • Eyewear prescription information
• April 2020 & June 2022 – Warby Parker reported additional breaches involving similar attacks, though each affected fewer than 500 individuals.

HIPAA Violations Identified

OCR’s investigation found Warby Parker violated three key provisions of the HIPAA Security Rule:

1. Failure to conduct a comprehensive risk analysis to assess security vulnerabilities.
2. Lack of adequate security measures to protect ePHI from cyber threats.
3. Failure to implement audit procedures to monitor and review system activity.

Enforcement Action and Penalty

• September 2024 – OCR issued a Notice of Proposed Determination, seeking to impose a $1.5 million fine.
• December 2024 – Warby Parker waived its right to a hearing and did not contest the penalty, leading to its final imposition.

📄 Official Notices:

• Notice of Proposed Determination
• Notice of Final Determination

Cybersecurity Best Practices for HIPAA Compliance

To prevent cyber threats, OCR advises HIPAA-covered entities to:
✔ Identify & track ePHI across all systems.
✔ Incorporate risk analysis & management into daily operations.
✔ Implement audit controls to monitor security logs.
✔ Review system activity regularly for suspicious access.
✔ Use multi-factor authentication to prevent unauthorized logins.
✔ Encrypt ePHI during transmission and storage.
✔ Apply lessons learned from security incidents to strengthen protections.
✔ Provide ongoing HIPAA training tailored to employees’ roles.

For more information, visit the HHS Breach Portal https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf