Warby Parker failed “to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities” to electronic personal health information, they said, and didn’t implement security measures to reduce risks to patient information. The eyewear retailer Warby Parker was hit with a $1.5 million fine by the Department of Health and Human Services on Thursday following a credential stuffing attack in 2018 that compromised the personal information of nearly 200,000 people. The company first detected unusual log-in activity in November 2018 and determined that a third party had gained access to customer accounts by credential stuffing — when a hacker uses log-in information obtained elsewhere to try to breach accounts. The company didn’t implement reasonable security measures around sensitive information until July 2022, they said, and didn’t implement reviews of “records of information system activity review” until May 2020. According to the OCR, as of September 2024 Warby Parker had still not conducted an assessment of the “potential risks and vulnerabilities” to the confidentiality of the health information. “It will require entities who maintain healthcare data to do things like encrypt that data so if attacked, it cannot be leaked on the web and endanger individuals,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology under the Biden administration, told reporters at the time. HHS’ Office for Civil Rights, which oversees Health Insurance Portability and Accountability Act (HIPAA) rules, said a number of security failures at the company warranted the fine. HHS’ civil rights division reached an $80,000 settlement with a Massachusetts healthcare company in January after a 2023 ransomware attack, and levied a $950,000 fine on a Midwestern healthcare company in July 2024.
This Cyber News was published on therecord.media. Publication date: Fri, 21 Feb 2025 17:45:04 +0000