The U.S. Department of Health and Human Services has imposed a $1.5 million penalty on Warby Parker for HIPAA violations following a cybersecurity breach that exposed nearly 200,000 customers' health information.
What happened
Between September and November 2018, unauthorized parties gained access to Warby Parker customer accounts through credential stuffing attacks, using login information obtained from other breached websites.
Credential stuffing is a type of cyberattack where criminals use stolen usernames and passwords from one website to try to log into other websites. The attack works because many people reuse the same passwords across multiple accounts. In this case, attackers used login credentials stolen from other breached websites to gain unauthorized access to Warby Parker customer accounts.
What's new
The company has agreed to pay the penalty without contesting OCR's findings, which identified three significant HIPAA Security Rule violations, including failure to conduct proper risk analysis and implement adequate security measures.
Why it matters
The breach exposed sensitive customer data including names, addresses, payment information, and prescription details. This case shows the growing risks of credential stuffing attacks in healthcare and the importance of HIPAA compliance for companies handling medical information.
The big picture
This enforcement action signals OCR's increasing focus on cybersecurity compliance in healthcare. The incident affected 197,986 individuals, with Warby Parker reporting additional similar breaches in 2020 and 2022.
What they're saying
"Identifying and addressing potential risks and vulnerabilities to electronic protected health information (ePHI) is necessary for effective cybersecurity and compliance with the HIPAA Security Rule," said OCR Acting Director Anthony Archeval. "Regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach."
FAQs
What HIPAA violations were found?
The investigation revealed failures to conduct thorough risk analysis, implement sufficient security measures, and maintain regular system activity reviews.
How did the breach occur?
Attackers used credentials stolen from other websites to access Warby Parker customer accounts, a technique known as credential stuffing.
What should companies do to prevent similar breaches?
OCR recommends implementing strong authentication measures, encrypting health information, and providing regular HIPAA training to staff.
