The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a $1,500,000 civil money penalty against Warby Parker, Inc. due to multiple HIPAA violations.
Warby Parker reported a breach in 2018 “regarding the unauthorized access by one or more third parties to customer accounts,” according to a release. The attackers hacked customers’ accounts “by using usernames and passwords obtained from other, unrelated websites that were presumably breached.” HHS defined this cyber incident as a “credential stuffing.” Nearly 200,000 patients’ data was compromised due to the attack. Stolen information included addresses, prescription information, names, emails, and payment information. Similar attacks happened in 2020 and 2022 also.
Multiple HIPAA violations were discovered during OCR’s investigation, including “a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity.”
OCR posted guidelines for preventing healthcare cyberattacks in the press release
