Warby Parker has been fined $1.5 million by the Department of Health and Human Services (HHS) following a credential stuffing attack in 2018 that compromised the personal health information of nearly 200,000 individuals. The HHS Office for Civil Rights (OCR) imposed the fine, citing multiple security failures by the company. Warby Parker failed to conduct a thorough risk analysis to identify potential vulnerabilities in its systems, which contributed to the breach.
The breach was triggered when a third party used stolen login information from other sources to gain unauthorized access to customer accounts. The affected data included names, addresses, payment information, and eyewear prescriptions.
Despite detecting unusual login activity in November 2018, the company did not take adequate steps to protect the data or address the vulnerabilities in its system until much later.
The OCR also found that Warby Parker did not implement reasonable security measures around sensitive health data until July 2022 and had not reviewed the security activity of its systems until May 2020. As of September 2024, the company had still not conducted a comprehensive assessment of risks to the confidentiality of health information, further contributing to its lack of compliance with the Health Insurance Portability and Accountability Act (HIPAA) rules.
In addition to this case, HHS has taken action against other companies for similar issues. Earlier in 2024, an $80,000 settlement was reached with a Massachusetts healthcare company following a ransomware attack. In another instance, a Midwestern healthcare company was fined $950,000 for security failures. This has drawn attention to the need for stricter cybersecurity regulations, which are expected to be updated under HIPAA for the first time in over a decade.
