Nearly 200,000 Individuals Impacted by HIPAA Cybersecurity Hacking

Warby Parker, Inc., the popular eyewear manufacturer and retailer, will pay a $1.5 million civil money penalty for HIPAA violations regarding the electronic protected health information (ePHI) of 197,986 individuals.

The Office for Civil Rights (OCR) announced its first financial penalty of 2025 on February 20, following an investigation that began after Warby Parker reported the breach in December 2018. Between September and November 2018, the attack involved unauthorized access to Warby Parker customer accounts through compromised credentials obtained from unrelated websites that were presumably breached.

Cyber Criminals Use Credential Stuffing to Gain Access

This type of cyberattack is often called credential stuffing. In it, usernames and passwords obtained in a data breach at an unrelated entity are used to access accounts. The compromised ePHI included customer names, mailing addresses, email addresses, certain payment card information, and eyewear prescription information.

OCR Investigation Uncovers HIPAA Violations

Following its investigation, OCR determined that Warby Parker violated three key HIPAA Security Rule requirements:

1. Failure to conduct a comprehensive risk analysis to identify vulnerabilities in their ePHI systems.
2. Failure to implement adequate security measures to reduce risks to a reasonable level.
3. Failure to establish procedures to review system activity logs for suspicious behavior regularly.

OCR Acting Director Anthony Archeval emphasized the importance of proactive security measures: “Protecting individuals’ electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”

Steps to Strengthen Cybersecurity and Compliance

The HIPAA Security Rule requires covered entities and their business associates to maintain a comprehensive contingency, emergency mode, data backup, and disaster recovery plan. As recently shown, not doing so can be costly.

Follow these best practices to prevent cybersecurity incidents:

• Identify & Track ePHI: Map out how ePHI enters, flows through, and exits your systems.
• Integrate Risk Analysis: Make cybersecurity risk management an ongoing business priority. A HIPAA Security Risk Analysis assures the confidentiality, integrity, and availability of ePHI.
• Enable Audit Controls: Regularly monitor system logs to detect unauthorized access.
• Review Security Logs: Conduct frequent audits of system activity.
• Strengthen Authentication: Use multi-factor authentication (MFA) to prevent credential stuffing attacks.
• Encrypt ePHI: Protect sensitive data both in transit and at rest.
• Learn from Incidents: Apply lessons from breaches to enhance security strategies.
• Train Your Workforce: Provide ongoing, role-specific HIPAA training for employees.

Warby Parker’s case is a stark reminder that HIPAA compliance is non-negotiable. Cyber threats are evolving, and failing to address security risks can lead to severe financial and reputational consequences. Health care organizations must act now to safeguard ePHI, strengthen security protocols, and ensure HIPAA compliance.