The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights imposed a $1.5 million civil money penalty (CMP) against Warber Parker, Inc. (Warby) following an investigation into a security breach that impacted thousands of the company’s customers.
Where to begin with this?
We’ll take it back to November 2018, when Warby reportedly became “aware of of unusual, attempted log-in activity on its website,” according to a Feb. 20 statement issued by the OCR.
In December 2018, the company reported that unathorized third parties gained access to its customer accounts Between Sept. 25 and Nov. 30, 2018, by using usernames and passwords obtained from other, unrelated websites that were (presumably) breached.
In other words: Warby was hit by a cyberattack called “credential stuffing.”
- What this is: A type of cyberattack in which hackers use compromised (stolen) usernames and passwords taken from previous data breaches to attempt to log into various different websites and services.
What type of information was stolen?
Among this electronic protected health information (ePHI) were:
- Customer names
- Mailing addresses
- Certain payment card information (last four digits)
- Eyewear prescription information
When did the government become involved?
Warby submitted a breach report to the OCR in December 2018; upon receipt of that report, OCR initiated an investigation.
Fast forward to September 2020: Warby reportedly filed an addendum to its original 2018 breach report to update the number of consumers affected by the cyberattack to 197,986.
- In addition: That initital breach report filing was followed by two other cyberattacks in April 2020 and June 2022—with each impacting less than 500 customers.
So … what did this federal investigation uncover?
According to OCR: Three violations of the Health Insurance Portability and Accountability (HIPAA) Security Rule.
About this rule: The Security Rule established a national set of security standards to protect patients’ health information via physical, administrative, and technical safeguards.
- Importantly: It also mandates:
- Only authorized parties can access PHI
- Covered entities (such as Warby) must immediately report and resolve any ePHI breaches
Now tell me about this violations.
Among the evidence against Warby were three “failures”:
- Failure to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities to ePHI in the company’s systems
- Failure to implement security measures sufficient to reduce risk and vulnerabilities to ePHI to a reasonable and appropriate level
- Failure to implement procedures to regularly review records of information system activity
When was Warby notified of these?
OCR stated that it notified the company in March 2024 of the investigation’s findings and “offered (Warby) an opportunity to resolve the matter informally.”
This was followed by the federal office sending the company a Letter of Opportunity (LOO) in May 2024.
- About this LOO: Essentially, it told Warby the preliminary indications from its investigation and that the matter had not been resolved “by informal means despite OCR’s attempts to do so.”
- Also in the letter, OCR essentially asked the company to provide “written evidence” it did not commit any violations so as to avoid being slapped with a CMP.
Did the company respond to this?
Indeed (in June 2024).
However: Despite this response, OCR determined that the written evidence submitted by Warby did not adequately support its defense (including a lack of recognized securiy practices [RSPs] in place).
And this led to ….
The OCR issued a Notice of Proposed Determination (NPD) to Warby in September 2024.
- What this is: A federal notification of a penalty (or other action) being proposed, including info on the reasons for it, the respondents’s right to hearing, and how they can respond.
The gist of its intent: To impose a $1.5 million CMP on the company.
- See here for a look at the document.
How did Warby respond to this?
To start, the company waived its straight to hearing and did not argue against the proposed CMP.
As a result: Via a Notice of Final Determination (NTF), OCR issued the $1.5 million penalty to the company in December 2024.
Is there a specific reason for this amount?
Yes, there is. To start, the NPD stated that the Secretary of HHS is authorized to impose such a CMP against “any covered entity” (Warby, in this case) “that violates a provision of … the Social Security Act.”
According to OCR, the amount is based on the Health Informaion Technology for Economic Clinical Health (HITECH) Act—which authorizes the federal office to impose CMPs for violations.
Among the four CMP tiers noted in OCR’s NPD:
- A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except tht the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed ($1.5 million).
For a breakdown of these CMPs (per violation), see pages 7-9 of the NPD.
Interesting … so what’s the takeaway from this?
Quite simply: HIPAA compliance.
OCR advised for HIPAA-covered entitites such as healthcare providers (HCPs), health plans, clearinghouses, and business associates to mitigate or prevent the risk of cyber-threats by adhering to a few key steps.
Among them:
- Identifying where their ePHI is located (how ePHI enters, flows through, and leaves an organization’s informatio systems)
- Integrating risk analysis and management into business processes
- Implementing regular reviews of information system activity
*Disclaimer: The information provided in this article does not and is not intended to constitute legal advice; instead, all information, content, materials available herein are for general information purposes only.