The $1,500,000 civil monetary penalty (“CMP”) the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed against online prescription and nonprescription eyewear manufacturer and online retailer Warby Parker, Inc., for Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule violations warns other HIPAA-covered health care providers health plans, healthcare clearinghouses (“covered entities”) and their business associate service providers (collectively, “HIPAA Entities”) to protect electronic systems with electronic protected health information (“ePHI”) from ransomware and other hacking attacks.
HIPAA Hacking Responsibilities & Risks
The HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) set requirements that HIPAA Entities must follow to protect the privacy and security of protected health information (“PHI”).
The HIPAA Security Rule establishes national standards to protect individuals’ ePHI created, received, used, disclosed, maintained, or transmitted by a HIPAA Dntity. It also requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, availability, and security of ePHI.
OCR guidance and enforcement make clear it considers protecting ePHI from improper access, use, disclosure, and destruction of other unavailability due to ransomware and other hacking threats.
Violation of HIPAA can trigger either civil monetary penalties or criminal penalties under HIPAA. As amended by the the HITECH Act, HIPAA provides for the following civil monetary penalties for HIPAA violations:
- A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
- A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
- A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
- A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.
As required by law, OCR adjusts the CMP ranges for each penalty tier for inflation3 for violations after November 2, 2015.
Along with these potentially substantial civil penalty exposures, HIPAA’s potential criminal penalties make HIPAA compliance a required element of the Federal Sentencing Guideline Compliance programs Covered Entities and their leaders need to mitigate their exposures to organizational liability under the Guidelines.
HIPAA breaches also generally expose HIPAA Entities and their leaders to potential liability for breach liability under federal and state electronic crimes and other data breach and security laws; Federal Trade Commission and other federal and state fraud and deceptive business laws; securities laws; Federal Sentencing Guideline and other liability for health care or other fraud and other crimes enabled by inadequate compliance or response; create licensing or ethical sanctions; create shareholder, tort or contractual liabilities; trigger public company disclosure and executive compensation clawback responsibilities; and a host of other legal, operational and business partner and public relations headaches.
Warby Parker’s Hard Lesson
Warby Parker is the latest in a fast-mounting list of HIPAA Entities nailed for hacking-related HIPAA breaches
The $1.5 million Warby Parker civil money penalty announced February 20, 2025 resulted from an OCR investigation of a December 2018 breach report of a hacking incident involving customer accounts filed by Warby Parker. The report stated that in November 2018, Warby Parker became aware of unusual, attempted log-in activity on its website. Warby Parker reported that between September 25, 2018, and November 30, 2018, unauthorized third parties gained access to Warby Parker customer accounts by using “credential stuffing.” Hackers used usernames and passwords obtained from other, unrelated websites that were presumably breached to access the Warby Parker data.
In September 2020, Warby Parker filed an addendum to its December 2018 breach report, updating the number of individuals affected by the breach to 197,986.
The compromised ePHI included customer names, mailing addresses, email addresses, certain payment card information, and eyewear prescription information.
Warby Parker also filed subsequent breach reports (each breach report affecting fewer than 500 persons) in April 2020, and June 2022, following similar attacks.
OCR’s investigation of the breach reports found evidence of three violations of the HIPAA Security Rule. These included:
- Failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems;
- Failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and
- Failure to implement procedures to regularly review records of information system activity.
Based on these findings, OCR’s Notice of Final Determination imposed a $1,500,000 civil money penalty.
Ransomware & Other Hacking Now OCR #1 HIPAA Enforcement Priority
All HIPAA Entities should learn from the costly lessons of Warby Parker and the many other HIPAA Entities sanctioned or awaiting their consequences for hacking incidents and consult with qualified legal counsel for assistance in conducting an assessment of the adequacy of their current compliance.
Hacking, ransomware and other cyberattacks collectively and individually account for the breaches of ePHI affecting the largest number of individuals by far and away.
OCR announced various other hacking or other cyberattack related large breaches intermittently across the years.
Hacking-related HIPAA investigations and enforcement actions date back to the 2015 hacking breach at Premera Blue Cross that impacted more than 10.4 million individuals’ records and led to Premera paying OCR $6.85 million to settle resulting OCR HIPAA charges.
After periodically warning HIPAA Entities to address ransomware and hacking through its announcement of occasional hacking-related breach enforcement actions and other guidance, epidemic ransomware and other large scale cyber breaches targeting UnitedHealthcare subsidiary Change Health, Ascension Health, and many other large health care and health insurance organizations prompted OCR to identify HIPAA Security Rule breaches involving ransomware and other cyberattacks a top prevention, investigation and enforcement priority. Since then, the list of HIPAA entities paying OCR civil monetary penalties or settlements to resolve cyberattack related HIPAA charges has quickly and steadily grown. with the number of cyber attacks, impacting HIPAA entities accelerating, the number and magnitude of penalties assessed will only grow.
OCR has published a long list of guidance and alerts to help HIPAA Entities fulfill their HIPAA duties to safeguard their ePHI from ransomware and other cyberattacks and resulting HIPAA liabilities.
Among other things, OCR recommends that HIPAA Entities take the following steps to mitigate or prevent cyber-threats:
- Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems;
- Integrate risk analysis and risk management into the organization’s business processes;
- Ensure that audit controls are in place to record and examine information system activity;
- Implement regular reviews of information system activity;
- Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI;
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate;
- Incorporate lessons learned from incidents into the organization’s overall security management process; and
- Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
OCR regulations, resolution agreements, civil monetary penalty, assessments, also make clear HIPAA Entities must carefully document their original risk assessments, their timely monitoring and response to new threats, the analysis underlying their risk assessments and response, and other critical details and be prepared to produce that risk assessment in the event of an OCR investigation or audit.
This guidance also reflects HIPAA Entities should capture their ongoing use of appropriate procedures to monitor and respond to signs of threat or compromise to their own systems as well as OCR and other agency and industry alerts about emerging threats and susceptibilities as part of their ongoing risk assessment and response process.
Given the high threat environment and the growing HIPAA and other liabilities that commonly follow a cyberattack breach, HIPAA entities and their leaders should consider the advisability of conducting these assessments and any known or suspected breach investigation and response with the benefit of guidance from HIPAA experienced legal counsel within the scope of attorney-client privilege
HIPAA entities also should ensure appropriate plans and resources to investigate and respond to any breach that might occur promptly. Most entities will want to secure liability insurance coverage as well as require suitable credential information, indemnification, insurance and other assurances from their business associates and other vendors with access to systems or data that includes electronic PHI.
The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, health plans and insurers, third party administrators, managed care and other health care payers and providers, technology, and other businesses about crisis preparedness and response and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.
For HIPAA Help or Information
We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.
Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.
Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.
In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.
slphealthcareupdate.com 