Warby Parker Fined $1.5 Million for Violations of HIPAA
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced that eyewear company Warby Parker must pay a $1.5 million penalty after a data breach that violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the department announced Thursday.
Sign up for a free preview to unlock the rest of this article
In December 2018, Warby Parker filed a breach report that said unauthorized third parties had gained access to customer accounts through usernames and passwords obtained from unrelated websites that had likely been breached, the announcement said. Almost 198,000 individuals were impacted, and two similar attacks occurred in April 2020 and June 2022, each with fewer than 500 affected. OCR then initiated an investigation, where it found that the company had three violations of HIPAA’s Security Rule, including a failure to thoroughly conduct a risk assessment and a failure to implement sufficient security measures, HHS said.
“Identifying and addressing potential risks and vulnerabilities to electronic protected health information is necessary for effective cybersecurity and compliance with the HIPAA Security Rule,” said OCR Acting Director Anthony Archeval. “Protecting individuals’ electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”
Warby Parker didn't comment.