Feds fine Warby Parker $1.5 million for failing to protect customer health data

The eyewear retailer Warby Parker was hit with a $1.5 million fine by the Department of Health and Human Services on Thursday following a credential stuffing attack in 2018 that compromised the personal information of nearly 200,000 people. 

HHS’ Office for Civil Rights, which oversees Health Insurance Portability and Accountability Act (HIPAA) rules, said a number of security failures at the company warranted the fine. 

Warby Parker failed “to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities” to electronic personal health information, they said, and didn’t implement security measures to reduce risks to patient information. 

The company first detected unusual log-in activity in November 2018 and determined that a third party had gained access to customer accounts by credential stuffing — when a hacker uses log-in information obtained elsewhere to try to breach accounts.

The compromised information included names, addresses, some payment information and records related to eyewear prescriptions. Warby Parker filed two other breach reports in April 2020 and June 2022 after smaller incidents affecting fewer than 500 people.

According to the OCR, as of September 2024 Warby Parker had still not conducted an assessment of the “potential risks and vulnerabilities” to the confidentiality of the health information. The company didn’t implement reasonable security measures around sensitive information until July 2022, they said, and didn’t implement reviews of “records of information system activity review” until May 2020.

Warby Parker did not respond to a request for comment.

HHS’ civil rights division reached an $80,000 settlement with a Massachusetts healthcare company in January after a 2023 ransomware attack, and levied a $950,000 fine on a Midwestern healthcare company in July 2024. 

In December, the White House said HIPAA’s rules would be updated with cybersecurity regulations for the first time since 2013. 

“It will require entities who maintain healthcare data to do things like encrypt that data so if attacked, it cannot be leaked on the web and endanger individuals,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology under the Biden administration, told reporters at the time.