HHS Imposes a $1.5 million Civil Penalty Against Warby Parker

On February 20, 2025, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR) imposed a $1.5 million civil money penalty on Warby Parker, Inc., for violating provisions of the HIPAA Security Rule.

 

The investigation began in December 2018, following a breach report filed by the manufacturing and retailing giant, Warby Parker. The breach, which occurred between September and November 2018, involved hackers gaining unauthorized access to customer accounts using usernames and passwords likely obtained from other breached websites. In September 2020, Warby Parker amended its original report, disclosing that the sensitive information of 197,986 individuals had been compromised. The affected electronic protected health information (ePHI) included customer names, mailing addresses, email addresses, payment card details, and eyewear prescription data.

 

OCR’s investigation found three key violations of the HIPAA Security Rule, including:

• Failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems,
• Failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and
• Failure to implement procedures to regularly review records of information system activity

In September 2024, OCR moved to impose the $1.5 million penalty, which Warby Parker did not contest. This penalty marked the first enforcement action under the new administration’s enforcement of the HIPAA Security Rule. Covered entities, including health care providers, health plans, clearinghouses, and business associates covered by HIPAA, must remain vigilant in ensuring compliance with HIPAA security requirements to prevent unauthorized access to protected health information.

 

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.