The Trump administration’s U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first HIPAA penalty last week. OCR imposed a $1,500,000 civil money penalty against Warby Parker, Inc., a manufacturer and online retailer of prescription and non-prescription eyewear, for violations of the HIPAA Security Rule.

OCR began an investigation after receiving a breach report filed by Warby Parker in December 2018. The report stated that in November 2018, Warby Parker became aware of unusual, attempted log-in activity on its website. Warby Parker reported that between September 25 and November 30, 2018, unauthorized third parties accessed Warby Parker customer accounts using usernames and passwords, which were compromised in other data breaches to access accounts with the same passwords. This type of cyberattack is often referred to as “credential stuffing.”

In September 2020, Warby Parker filed an addendum to its December 2018 breach report, updating the number of individuals affected by the breach to 197,986. The compromised electronic protected health information (ePHI) included customer names, mailing addresses, email addresses, certain payment card information, and eyewear prescription information. Following similar attacks, Warby Parker filed subsequent breach reports (each affecting fewer than 500 persons) in April 2020 and June 2022.

In September 2024, OCR issued a Notice of Proposed Determination seeking to impose a $1,500,000 civil money penalty. Warby Parker waived its right to a hearing and did not contest OCR’s imposition of a civil money penalty. Accordingly, in December 2024, OCR imposed a civil money penalty of $1,500,000.

“Identifying and addressing potential risks and vulnerabilities to electronic protected health information is necessary for effective cybersecurity and compliance with the HIPAA Security Rule,” said OCR Acting Director Anthony Archeval. “Protecting individuals’ electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”

How Credential Stuffing Works

Credential stuffing is a cyberattack in which the attacker collects thousands to millions of stolen account credentials, typically consisting of lists of usernames or email addresses and their corresponding passwords (often obtained from a data breach). The attacker then uses these credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed at a web application.

Hackers used credential stuffing against genetic testing company 23andMe in October 2023 to access data of nearly 6.9 million individuals. Cybercriminals use stolen login information from other places to evade threat detection systems.

Credential stuffing works because many users reuse the same username/password combination across multiple sites. One survey reported that 81% of users have reused passwords across two or more sites, and 25% use the same passwords across most of their accounts.

Security Rule Failures

OCR’s investigation found evidence of three violations of the HIPAA Security Rule.

These included:

1. a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems,
2. a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level and
3. a failure to implement procedures to review records of information system activity regularly.

Mitigation Steps to Prevent HIPAA Violations

OCR recommends that covered entities and business associates take the following steps to mitigate or prevent cyber threats and stay compliant with HIPAA:

• Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
• Integrate risk analysis and risk management into the organization’s business processes.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular reviews of information system activity.
• Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training specific to the organization and their respective job duties.