- AOA member advocates to expand emergency training access for optometrists
- AOA addresses Eyebot technology
- AOA cites EyeMed as a barrier to care and demands changes
- The latest on AOA contact lens advocacy
- How AOA advocacy keeps contact lens wearers fright free
- Contacts Lens Prescription Modernization Act introduced as next step in ending damaging robocalls
- Health system optometrists strike for recognition, fair labor practices
- How AOA is keeping contact lens wearers safe this spooky season
- Constant presence: Alliance builds reputation for patient safety advocacy
- Hubble Contacts concerns grow after woman loses eye, AOA asks where’s enforcement?
- AOA Today Show Response
- AOA recommends care standard for telemedicine use amid rapid change
- AOA issues consumer health alert for online vision tests
- AOA's 31 in 31 campaign
- Vision Direct website removes FCLCA claims after AOA and BBB challenge
- Goal should be mandatory protective eyewear in high school field hockey
- Mere commoditization
- AOA pushes Amazon to sufficiently address inappropriate contact lens sales
- Vision Direct UK to halt sales without required prescriptions after AOA complaints
- Alcon joins Health Care Alliance for Patient Safety
- Patients need guidance on risks of online vision apps
- AOA demands 1-800 Contacts change misleading message
- Telemedicine-Policy
- Breaking through the pandemic
- VA rescinds laser policy
- AOA rallies optometry and allies to fight FTC contact lens rule
- Company recalls colored contact lenses it was selling online without FDA clearance
- FTC Contact Lens Rule changes
- ftc flags vision apps misleading claims
- atlantic author retracts tweet
- Homeland Security agents bust counterfeit contact lens dealers
- 1800 online eye test
- FDA enforcement action disrupts vision test company
- AOA AFOS continue fight against VA experimental eye exam replacement program
- Amazon drops noncompliant contact lens sellers
- Can you hear me now?
- AOA rejects demand from Stanton Optical to retract article
- AOA urges Federal Trade Commission to investigate Visibly ExpressExam
- FTC finds 1-800 Contacts engaged in anticompetitive agreements
- Opternatives doctor locator draws questions
- FDA warning to Opternative
- Illegal contact lens retailers slapped with fines penalties
- FDA Warning to Opternative March 18
- Holding accountable errant eye care retailers
- Hubble update
- AOA continues the fight for patient safety
- Veterans Round Table
- Balancing patient health safety with technological progress
- AOAs eye health first stance lays bare convenience messaging
- AOA contributes to CDC vision initiative
- States and AOA persevere in fight against heightened opposition from Opternative 1800Contacts
- AOA scrutiny aims to hold device profiteers accountable for false claims
- AOA promotes patient safety protections
- AOA Congress urge VA to uphold promise
- Legislation targets prescription verification deceptive internet sales tactics
- GMA Investigates raises red flag on Opternative
- Preventable vision loss unacceptable
- AOA commends FTC action against 1-800 Contacts
- AOA files expansive FDA complaint against Opternative
- Opternative issued cease and desist order
- AOA officers and CDC officials make plans for more collaboration
- Alliance for Patient Safety
- VA Visit
- AOA leaves impression on White House Conference on Aging
- FTC Upheld
- USPSTF Release
- AOA complaint focuses FDA sights on Opternative
- AOA to Census Bureau Doctor the optimal word
- Help veterans access timely quality care
- AOA Patient safety paramount in contact lens legislation
- AOA authorities target illegal contact sellers
- Legislators petition FTC on retailers unscrupulous tactics
- AOA Opternatives doc locator appears to falsely imply endorsement
- Online vision test receives failing grade from doctor of optometry
- AOA complaints lead to changes in 1 800 Contacts business practice
- AOA warns public about online eye exams
- AOA affiliates continue to challenge online eye exams
- For parents, pediatric benefit brings clarity and consistency
- Be on the lookout Illegal contact lenses
- AOA fights for patient safety in contact lens legislation
- Choice Act offers new opportunities to care for veterans
- AOA backs legislative effort to expand veterans access to eye care
- AOA president to IOM Comprehensive eye exams essential to prevention and public health
- AOA in national roundtable on the future of diabetes care
- AOA Efforts on Contact Lens Bills Guided By Patient Health Concerns
Warby Parker slapped with $1.5 million penalty for HIPAA breach
February 25, 2025
Hackers gained unauthorized access to nearly 200,000 individuals’ protected health information in 2018 attack; investigators find three HIPAA Security Rule violations.
Tag(s): Advocacy, Patient Protection
Warby Parker faces a $1.5 million fine after federal investigators determine nearly 200,000 customers’ protected data were exposed in cyberattacks. The action comes months after the AOA raised concerns with regulators over the company’s adherence to HIPAA requirements.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Feb. 20 that Warby Parker, the direct-to-consumer eyewear brand, would pay the $1.5 million civil money penalty resulting from a self-reported cybersecurity breach, occurring between Sept. 25 and Nov. 30, 2018. The compromised electronic protected health information (ePHI) included customer names, mailing addresses, email addresses, certain payment card information and eyewear prescription information of 197,986 individuals.
The OCR enforcement action tracks with a detailed AOA complaint filed with the U.S. Federal Trade Commission in August 2023 that specifically raised concerns about Warby Parker’s adherence to HIPAA requirements, as well as an apparent effort to disclaim liability for any “data loss.”
“In addition to our work in Washington, D.C., to safeguard optometry’s essential and expanding role in health care, the AOA is an active watchdog focused on holding companies and special interests accountable for false or misleading claims and schemes aimed at undermining quality care standards,” says AOA President Steven T. Reed, O.D. “We’ll be paying close attention to ensure that the lessons of this enforcement action stick.”
Doctors also should be aware that HIPAA requires covered entities and their business associates to conduct a risk assessment of their health care organization. A risk assessment helps the organization ensure its compliance with HIPAA’s administrative, physical and technical safeguards. The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the OCR, developed a downloadable Security Risk Assessment (SRA) Tool to help guide doctors through the process.
⏩ Access the HHS Security Risk Assessment Tool
Warby Parker reports breaches of customer data
Warby Parker first reported a breach in December 2018 after it became aware of unusual, attempted log-in activity on its website a month earlier. Unauthorized third parties gained access to customer accounts via a “credential stuffing” cyberattack where hackers use usernames and passwords obtained from other websites, presumably breached, to gain account access.
The OCR notes that Warby Parker amended its number of affected individuals in September 2020, while also reporting subsequent breaches affecting fewer than 500 persons apiece in April 2020 and June 2022.
“Identifying and addressing potential risks and vulnerabilities to electronic protected health information is necessary for effective cybersecurity and compliance with the HIPAA Security Rule,” noted OCR Acting Director Anthony Archeval in a statement. “Protecting individuals’ electronic protected health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”
The OCR’s investigation reported three potential HIPAA Security Rule violations, including:
- Failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems.
- Failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level.
- Failure to implement procedures to regularly review records of information system activity.
Warby Parker fined for violating consumer protection act
In 2024, Warby Parker reached a settlement with the Kentucky Attorney General’s Office for alleged violations of the state’s Consumer Protection in Eye Care Act. Then, Warby Parker was alleged to have “improperly" administered its online vision test to 69 Kentuckians in violation of state law that established safeguards and limitations on the use of automated or virtual equipment for assessing the eye and generating refractive prescriptions.
In a letter to the attorney general, the Kentucky Optometric Association argued that Warby Parker had failed to comply with requirements that:
- Patients get an in-person comprehensive eye health exam within the previous 24 months before taking an online vision assessment.
- Online assessments had not been reviewed by a Kentucky-licensed optometrist, ophthalmologist, osteopath or physician.
- Patients’ identification be verifiable.
- Specific disclosure statements to patients be completed before they take the online assessment.
- The standards of appropriate care be the same online as those in traditional in-person clinical settings.
Ultimately, Warby Parker agreed to pay a $138,000 penalty that could be reduced to $55,200 if there are no further violations for five years. Additionally, the retailer updated its website to call attention to localities ineligible for its ‘Virtual Vision Test,’ namely Alaska, Washington, D.C., Georgia, Idaho, Kentucky, New Jersey, New Mexico, South Carolina, South Dakota, Washington and West Virginia.