On February 20, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced it had issued a $1.5 million fine against HIPAA covered entity Warby Parker, an eyewear manufacturer and online retailer headquartered in New York City.  OCR began its investigation into Warby Parker following receipt of a breach report filed with OCR by the company.

The breach report detailed that an unauthorized third party accessed Warby Parker customer accounts through the use of “credential stuffing” attacks, in which usernames and passwords previously exposed in unrelated breaches are used to gain access to user accounts. According to Warby Parker’s OCR breach report, 197,986 individuals were affected by the breach, which compromised names, mailing addresses, email addresses, payment card information and eyewear prescription information.

OCR’s investigation into Warby Parker revealed evidence of three alleged violations of the HIPAA Security Rule, including failure to conduct an accurate and thorough risk analysis, failure to implement sufficient security measures, and failure to implement procedures to regularly review information system activity records.

OCR initially issued a Notice of Proposed Determination in September of 2024, seeking to impose a civil monetary penalty, which Warby Parker did not contest. Accordingly, OCR issued a Notice of Final Determination to Warby Parker in December of 2024.

In its press release announcing the penalty, OCR Acting Director Anthony Archeval stressed that “protecting individuals’ electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”