Warby Parker slapped with $1.5 million penalty for HIPAA breach

Warby Parker faces a $1.5 million fine after federal investigators determine nearly 200,000 customers’ protected data were exposed in cyberattacks. The action comes months after the AOA raised concerns with regulators over the company’s adherence to HIPAA requirements. 

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Feb. 20 that Warby Parker, the direct-to-consumer eyewear brand, would pay the $1.5 million civil money penalty resulting from a self-reported cybersecurity breach, occurring between Sept. 25 and Nov. 30, 2018. The compromised electronic protected health information (ePHI) included customer names, mailing addresses, email addresses, certain payment card information and eyewear prescription information of 197,986 individuals. 

The OCR enforcement action tracks with a detailed AOA complaint filed with the U.S. Federal Trade Commission in August 2023 that specifically raised concerns about Warby Parker’s adherence to HIPAA requirements, as well as an apparent effort to disclaim liability for any “data loss.” 

“In addition to our work in Washington, D.C., to safeguard optometry’s essential and expanding role in health care, the AOA is an active watchdog focused on holding companies and special interests accountable for false or misleading claims and schemes aimed at undermining quality care standards,” says AOA President Steven T. Reed, O.D. “We’ll be paying close attention to ensure that the lessons of this enforcement action stick.” 

Doctors also should be aware that HIPAA requires covered entities and their business associates to conduct a risk assessment of their health care organization. A risk assessment helps the organization ensure its compliance with HIPAA’s administrative, physical and technical safeguards. The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the OCR, developed a downloadable Security Risk Assessment (SRA) Tool to help guide doctors through the process. 

⏩ Access the HHS Security Risk Assessment Tool 

Warby Parker reports breaches of customer data 

Warby Parker first reported a breach in December 2018 after it became aware of unusual, attempted log-in activity on its website a month earlier. Unauthorized third parties gained access to customer accounts via a “credential stuffing” cyberattack where hackers use usernames and passwords obtained from other websites, presumably breached, to gain account access. 

The OCR notes that Warby Parker amended its number of affected individuals in September 2020, while also reporting subsequent breaches affecting fewer than 500 persons apiece in April 2020 and June 2022. 

“Identifying and addressing potential risks and vulnerabilities to electronic protected health information is necessary for effective cybersecurity and compliance with the HIPAA Security Rule,” noted OCR Acting Director Anthony Archeval in a statement. “Protecting individuals’ electronic protected health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.” 

The OCR’s investigation reported three potential HIPAA Security Rule violations, including: 

1. Failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems.
2. Failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level.
3. Failure to implement procedures to regularly review records of information system activity. 

Warby Parker fined for violating consumer protection act 

In 2024, Warby Parker reached a settlement with the Kentucky Attorney General’s Office for alleged violations of the state’s Consumer Protection in Eye Care Act. Then, Warby Parker was alleged to have “improperly" administered its online vision test to 69 Kentuckians in violation of state law that established safeguards and limitations on the use of automated or virtual equipment for assessing the eye and generating refractive prescriptions. 

In a letter to the attorney general, the Kentucky Optometric Association argued that Warby Parker had failed to comply with requirements that: 

• Patients get an in-person comprehensive eye health exam within the previous 24 months before taking an online vision assessment.
• Online assessments had not been reviewed by a Kentucky-licensed optometrist, ophthalmologist, osteopath or physician.
• Patients’ identification be verifiable.
• Specific disclosure statements to patients be completed before they take the online assessment.
• The standards of appropriate care be the same online as those in traditional in-person clinical settings. 

Ultimately, Warby Parker agreed to pay a $138,000 penalty that could be reduced to $55,200 if there are no further violations for five years. Additionally, the retailer updated its website to call attention to localities ineligible for its ‘Virtual Vision Test,’ namely Alaska, Washington, D.C., Georgia, Idaho, Kentucky, New Jersey, New Mexico, South Carolina, South Dakota, Washington and West Virginia.