Warby Parker is a Delaware public benefit corporation, headquartered in New York City. It is a manufacturer and e-retailer of prescription and non-prescription eyewear. Warby Parker has approximately 200 physical stores and employs over 3,000 people. Its net revenue for the third quarter of 2024 alone was approximately $200 million dollars.
Warby Parker, more prosaically, is a covered entity under HIPAA. In late February of 2025, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that it had issued a $1.5 million civil monetary penalty against Warby Parker for Warby Parker’s violations of the HIPAA Security Rule.
Warby Parker HIPAA Security Rule Violations: Stuff It
Between the end of September 2018 and November 2018, unauthorized third parties gained access to Warby Parker customer accounts (Warby Parker’s active customer base is approximately 2.5 million people).
The hackers gained access, Warby Parker discovered in November of 2018, by using user names and passwords obtained from other, unrelated websites that were presumably breached. There is a name for this practice: credential stuffing.
The HHS Cybersecurity Program Office of Information Security describes credential stuffing: “Fueled by data breaches, attackers amass a list of stolen (legitimate) username/password combinations, [and] “stuff” those credentials into a program to automate validity checking. [Credential stuffing] exploits password recycling across accounts.”
OCR began an investigation the month following Warby Parker’s required breach report filing. The report noted that Warby Parker became aware of unusual, attempted login activity in November and noted the number of individuals affected by the breach. In September 2020, Warby Parker filed an amended breach report that updated the “number of affected individuals” upward to 197,986 people. The amended report noted that the affected PHI included customer names, mailing addresses, email addresses, the last four digits of any payment card information stored on the customer’s account, and for 177,890 of the individuals, eyewear prescription information.
In September 2019, January 2020, April 2020, and June 2022, Warby Parker
experienced subsequent credential stuffing attacks, resulting in further unauthorized login activity leading to the breach of additional customer protected health information.
Warby Parker HIPAA Security Rule Violations: Seeing Double
After investigation of the various incidents, OCR concluded that Warby Parker committed HIPAA Security Rule violations. First, Warby Parker had failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) it held during the period when the attacks took place. Warby Parker failed to conduct a security risk assessment (SRA).
Second, OCR concluded that Warby Parker failed to conduct risk management – that is, it failed to implement security measures sufficient to reduce risks and vulnerabilities (which risks and vulnerabilities, OCR concluded, Warby Parker failed to assess) to a reasonable and appropriate level until July 29, 2022.
Finally, OCR concluded that Warby Parker committed a HIPAA Security Rule violation by failing to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports, until May 12, 2020.
Risk analysis, risk management, and information review work in tandem. Information system activity review identifies vulnerabilities that should be assessed in a risk analysis. Risk management security measures undertaken in response to risk analysis findings, reduce risks and vulnerabilities to a reasonable and appropriate level.
In March 2024, OCR notified Warby Parker of the results of its HIPAA Security Rule violations investigation and offered to resolve the matter informally. The parties could not reach a resolution, and in early September 2024, OCR issued a Notice of Proposed Determination to Warby Parker, in which OCR proposed to impose a civil money penalty of $1,500,000 for the HIPAA Security Rule violations.
The Notice of Proposed Determination contained a discussion of the factors OCR considered in determining the amount of the proposed CMP. Legislation passed in early 2021 requires OCR to consider whether an entity that sustains a Security Rule violation had recognized security practices (RSPs) in place for at least the previous 12 months. If OCR finds that a Security Rule-violating entity had such practices in place, OCR is empowered to reduce the amount of a civil monetary penalty, and to terminate an audit early and favorably.
In January 2024, OCR provided Warby Parker with an opportunity to demonstrate it had RSPs in place. Warby Parker responded to OCR’s request on February 5, 2024. Upon examination of the requested data, policies and procedures, OCR determined Warby Parker’s response did not adequately demonstrate that it had substantially implemented any RSPs in the previous 12
months. So, no early termination or reduction in the CMP amount.
Warby Parker waived its right to a hearing afforded to it in the Notice of Proposed Determination, and did not contest the imposition of a CMP. As a result, in December 2024, OCR imposed a civil money penalty of $1,500,000 for the HIPAA Security Rule violations.
In announcing the civil monetary penalty, Acting OCR Director Anthony Archeval (appointed by President Trump, who is expected to fill this role on a permanent basis) noted, “Identifying and addressing potential risks and vulnerabilities to electronic protected health information is necessary for effective cybersecurity and compliance with the HIPAA Security Rule. Protecting individuals’ electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”
