HHS Imposes $1.5m fine on Warby Parker for Security Rule Violations

The U.S. Dept. of Health and Human Services ("HHS") announced its first enforcement action since the new Administration took office. The enforcement action alleges that Warby Parker, a manufacturer and e-retailer of prescription and non-prescription eyewear, failed to meet its compliance obligations under the Security Rule and hit the entity with a $1.5m fine.

According to the press release and Notice of Proposed Determination ("NPD"), in November of 2018 Warby Parker became aware of unusual login attempts on its website. The entity discovered that from September 25 2018 through November 30, 2018, third-party actors gained access to some Warby Parker customer accounts through a credential stuffing attack. Warby Parker submitted an initial breach report with HHS on December 20, 2018. Additional credential stuffing attacks occurred in September 2019, January 2020, April 2020, and June 2022, all after HHS initiated its investigation of Warby Parker in September 2019. According to HHS, these additional attacks led to the breach of 484 customers' accounts.

In total, 197,968 individuals' PHI was impacted by these seperate attacks.

HHS alleges the following violations:

• Failure to conduct an accurate and thorough assessment, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

• Failure to implement security measures sufficient to to reduce risks and vulnerabilities to a reasonable and appropriate level, as required by to reduce risks and vulnerabilities to a reasonable and appropriate level.

• Failure to implement procedures to regularly review records of information system activity review, as required by C.F.R. § 164.308(a)(1)(ii)(D).

According to the NPD, Warby Parker addressed these compliance failures, but not until after HHS initiated its investigation, and in the case of the failure to implement security measures sufficient to to reduce risks and vulnerabilities to a reasonable and appropriate level, not until 2022. Moreover, the NPD states that the risk analysis violation "remains unaddressed."

It's important to note that the NPD was sent to Warby Parker in December 2024, meaning we have yet to see an enforcement action brought by the current Administration (although the new Administration has only been in place for one (1) month).

Further more, and consistent with HHS' enforcement actions over the past four (4) years, this enforcement action does not actually address the underlying breach. A breach under HIPAA requires an impermissible use or disclosure; in other words, a violation of 45 C.F.R. § 164.502(a). That subsection isn't referenced in the NPD, meaning the underlying breach report is a vehicle for HHS to conduct a compliance review of the breached entity's security program to determine compliance with the Security Rule. This raises the question: where 164.502(a) isn't referenced in an enforcement action, should entities assume these types of incidents are not breaches?

The answer to that question is entities should continue to evaluate impermissible uses and disclosures using the four-factor analysis outlined in the Breach Notification Rule to make their determinations on whether notification is appropriate.