By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The Office for Civil Rights announced another cyber incident driven HIPAA civil monetary penalty on February 20, 2025. The settlement broke a one month lull in HIPAA enforcement announcements, though looking at the dates in the documents (all go back to the last quarter or so of 2024), it may not necessarily be an indication that enforcement of HIPAA remains an ongoing immediate priority. One side note before getting into an assessment of the settlement, if a reader subscribes to OCR’s Privacy List and/or Security List, the links to the penalty announcement, Notice of Proposed Determination, and Notice of Final Determination are not accurate (unless the messages get updated). A quick internet search will pull the correct links.
The Details
The penalty was imposed against Warby Parker, which is an online eyewear company. It’s a company focused on making it easier to get glasses, whether prescription or not. The business model is not the subject of the penalty though, it is the result of a cyberattack that occurred back in 2018. As an aside, the fact that the incident occurred in 2018 and a penalty was only imposed in late 20204 (6 years later) demonstrate the long legs that an incident can have.
As laid out in the Notice of Proposed Determination, OCR stated that Warby Parker noticed unusual login attempts around November 26, 2018. After investigating, Warby Parker determined that one or more customer accounts were compromised through a credential stuffing attack and improper access occurred from September 25, 2018 through November 30, 2018.
Within the breach reporting timeframe, Warby Parker notified OCR of the breach on December 20, 2018. As the internal assessment of the incident evolved, Warby Parker supplemented the notification to ultimately state that information about 197,986 individuals was impacted.
On September 16, 2019 (almost a full year after the notification), OCR informed Warby Parker that it would investigate the state of Warby Parker’s HIPAA compliance. While the delay is not ideal, it is important to remember that pretty much any breach notice will result in an OCR investigation. The cybersecurity problems for Warby Parker did not end with the initial incident though. OCR stated that additional credential stuffing attacks that resulted in improper access also occurred in September 2019, January 2020, April 2020, and June 2022. The ongoing failures emphasize that attacks occur all of the time, successful defense can be hard, and potentially that Warby Parker was not doing enough once it was known that its systems could be compromised.
With all of those findings in place, OCR determined that Warby Parker did not conduct an accurate and thorough risk analysis (sound familiar?), did not implement reasonable and appropriate security controls until July 2022, and did not regularly review system activity. Those findings resulted in OCR sending a Letter of Opportunity to Warby Parker on May 15, 2024 detailing the findings and giving Warby Parker the opportunity to submit information to mitigate the findings.
Warby Parker responded on June 14, 2024. Unfortunately, the Notice of Proposed Determination only gives the date of the response and OCR’s uncontested statement that Warby Parker did not submit a valid affirmative defense. After running through the matrix of calculations of possible penalties, OCR announced a penalty of $1,500,000.
After all of that, Warby Parker notified OCR on December 10, 2024 that it would not contest the proposed penalty. Likely driven by the shortening runway, OCR provided Warby Parker the Notice of Final Determination on December 11, 2024, which finalized the penalty of $1,500,000.
An Analysis
Despite the penalty being issued against Warby Parker through a Notice of Final Determination which does have an uncontested finding of noncompliance, the ultimate ending of the incident is not that much different than a typical settlement announced by OCR. There is the benefit of slightly more detail in the Notice of Proposed Determination, but not to the same degree as some of the previous penalties that were accompanied by notices and detailed findings of fact.
If any particular lesson can be taken from the Warby Parker incident, it is the absolute necessity of conducting a detailed, thorough, and accurate risk analysis. It cannot be stated enough that absent the true risk analysis, it is very difficult if not impossible to implement security policies and measures that will secure the sensitive data that a healthcare entity holds.
Along with conducting the honest and deep risk analysis, it is also essential to actively monitor the operation of those security measures and know what is happening within an organization’s systems. Paper alone does not create security. Real security is an ongoing effort that involves cooperation from everyone within an organization.
The Next Settlement or Penalty?
The open question now is when OCR will announce its next settlement or penalty. As noted, the Warby Parker penalty pre-dated the current administration as the penalty was finalized in December 2024, There was just a lag between that finalization and formal public announcement.
How many other settlements or penalties were finalized in the waning days of the previous administration and are just awaiting release? Given the flurry of settlements right before inauguration, it is a fair bet that there are not additional finalized settlements only waiting for publication. It is difficult to know whether the same is true about penalties since those can be final and, like Warby Parker, just awaiting public notice.
The uncertainty around staffing in all of the federal agencies also contributes to the uncertainty of when and how enforcement will continue. Security does need to remain a priority, but if the threat of monetary pain from the government diminishes, will attention further shift away outside of other public pressure? It is an issue that must be tracked.
This article was originally published on The Pulse blog and is republished here with permission.