HHS Slaps Warby Parker With $1.5M Penalty Over Data Breach

The U.S. Department of Health and Human Services (HHS) imposed a $1.5 million penalty on American eyewear manufacturer and retailer Warby Parker due to its failure to secure its systems from a credential stuffing attack in 2018 that compromised almost 200,000 individuals' protected health information, reports The Record, a news site managed by Recorded Future.

Aside from failing to evaluate the possible risks and vulnerabilities surrounding health data confidentiality as of September, Warby Parker had also deferred conducting information system activity reviews and implementing security protections for sensitive data until a month after filing for separate breaches in April 2020 and June 2022, respectively, according to the HHS Office for Civil Rights.

Such a development — which comes after separate fines against cyberattack-hit healthcare organizations Elgon Information Systems and Heritage Valley Health System over Health Insurance Portability and Accountability Act violations — follows the White House's pronouncements to include cybersecurity regulations in HIPAA prior to the changeover to the Trump administration.