Data Privacy
,
Data Security
,
Healthcare
Credential-Stuffing Breaches Affected Nearly 200,000 Warby Parker Customers
Federal regulators have levied a $1.5 million HIPAA civil monetary penalty against eyeglass maker and retailer Warby Parker over credential-stuffing hacks that affected about 200,000 people.
See Also: Using the Netskope HIPAA Mapping Guide
While the fine is the U.S. Department of Health and Human Services’ first announced HIPAA enforcement action since the second Donald Trump administration began a month ago, the HHS’ Office for Civil Rights said that the penalty against Warby Parker was imposed in December 2024 during the final weeks of the Biden administration.
HHS OCR said it initiated an investigation into Warby Parker in December 2018 after receiving a HIPAA breach report filed by the company.
“The report said that in November 2018, Warby Parker became aware of unusual, attempted login activity on its website. Warby Parker reported that between Sept. 25, 2018, and Nov. 30, 2018, unauthorized third parties gained access to Warby Parker customer accounts by using usernames and passwords obtained from other, unrelated websites that were presumably breached.”
Then, nearly two years after that credential-stuffing hack, Warby Parker in September 2020 filed an addendum to its December 2018 breach report, updating the number of individuals affected by the breach to 197,986 (see: Health Data Breach Tally: What’s New).
The affected electronic protected health information included Warby Parker customer names, mailing addresses, email addresses, certain payment card information, and eyewear prescription information, HHS OCR said.
Warby Parker also filed subsequent breach reports – with each breach report affecting fewer than 500 persons – in April 2020, and June 2022, following similar credential-stuffing attacks, HHS OCR said.
HHS OCR said its investigation into the Warby Parker incidents found evidence of three violations of the HIPAA Security Rule.
Those include failing to conduct an accurate and thorough risk analysis; failing to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI; and failing to implement procedures to regularly review records of information system activity.
“Identifying and addressing potential risks and vulnerabilities to electronic protected health information is necessary for effective cybersecurity and compliance with the HIPAA Security Rule,” said Anthony Archeval, acting director of HHS OCR.
“Protecting individuals’ electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”
HHS notified Warby Parker in September 2024 of its plans to impose the $1.5 million fine, but the company waived its right to a hearing and did not contest the agency’s notice of proposed determination about the case. In December 2024, HHS OCR imposed the fine.
Warby Parker did not immediately respond to Information Security Media Group’s request for comment on the HIPAA fine.
The vast majority of HHS OCR’s HIPAA enforcement actions involving breaches usually end with resolution agreements between the agency and the breached covered entity or business associate that include a financial settlement and a corrective action plan. It’s unclear why Warby Parker did not contest HHS OCR’s notice of proposed determination, but some experts said several factors might have come into play.
“It is unusual that Warby Parker waived its right to hearing,” said regulatory attorney Lily Li of Metaverse Law, who is not involved in the case.
“Not contesting the civil monetary penalty suggests that they don’t want to first incur the attorney’s fees of fighting the penalty, and, second, they probably have a lot more concerns about their previous security posture, so they wouldn’t want further investigation,” she said.