By Greg Freeman
The Office of Civil Rights (OCR) recently announced a $1.5 million civil money penalty (CMP) for HIPAA violations against Warby Parker, the online retailer of prescription and non-prescription eyewear. The case highlights the need for a prompt and effective response after a breach.
OCR began its investigation in December 2018 after a breach report regarding unauthorized access to Warby Parker customer accounts by one or more third parties.
Warby Parker became aware of unusual attempted log-in activity on its website a month earlier, OCR reports. Between Sept. 25, 2018, and Nov. 30, 2018, “unauthorized third parties gained access to Warby Parker customer accounts by using usernames and passwords obtained from other, unrelated websites that were presumably breached,” OCR reports. OCR notes that this type of cyberattack is often referred to as “credential stuffing.”
In September 2020, Warby Parker filed an addendum to its December 2018 breach report updating the number of individuals affected by the breach to 197,986.
The company also filed subsequent breach reports in April 2020 and June 2022.
“OCR’s investigation found evidence of three violations of the HIPAA Security Rule, including a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI (electronic protected health information) in Warby Parker’s systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity,” OCR reports.
The timeline of the breach and Warby Parker’s response is important in assessing the lessons from this case, says Deborah A. Cmielewski, JD, partner with the Schenck Price law firm in Florham Park, NJ.
“Despite the OCR’s relentless enforcement efforts, regulated entities continue to disregard the HIPAA risk analysis requirement and other basic compliance mandates. Regulated entities must treat the risk analysis like a regular check-up, which cannot be viewed as optional or deferred to a later time,” she says. “In this day and age, entities must implement a culture of compliance given the presence of dangerous cyberthreats.”
Cybercriminals are becoming more sophisticated by the minute, Cmielewski says, and regulated entities must take stock of the risks and vulnerabilities to the valuable PHI in their possession.
“Entities that disregard basic tenets of compliance do so at their own peril, and the OCR will continue to make an example out of them,” she says.
Everything in the case goes back to the risk analysis, Cmielewski says. Warby Parker apparently did not do a risk analysis, even when they knew that they had a problem, she says.
“The risk analysis is going to identify the risks and vulnerabilities to the PHI in their environment and give them a roadmap for what they need to do to address any vulnerabilities and any issues that they have,” she says. “If covered entities and business associates don’t perform their risk analysis, they do so at their own peril because this is the kind of thing that could happen when it is left to linger.”
The case illustrates how covered entities should snap to attention once they are involved with an OCR investigation, despite any deficiencies that led to the situation, Cmielewski says.
“The lesson to be learned is do your risk analysis, look at your is activity, implement your policies and procedures, and build out a compliance plan,” she says. “If you find yourself on the regulators’ radar screen and you haven’t done what you’re supposed to do, take the opportunity to immediately clean those things up.”
The recent CMP levied by OCR spotlights the duty of health organizations to impose strict password requirements on members using their websites, says Henry Norwood, JD, an attorney with the Kaufman Dolowich law firm in San Francisco.
The credential-stuffing strategy relies on the habit of people using the same credentials for multiple websites, he notes. According to Health and Human Services (HHS), the Warby Parker incident involved hackers obtaining member credentials from other sites and then successfully using these credentials to access Warby Parker’s member site.
HHS’ finding of HIPAA Security Rule violations in this situation is significant because the hackers were only able to breach the health organization’s website after hacking other websites, Norwood says.
“This action imposes an affirmative duty on health organizations to ensure members’ passwords are sufficiently complex to avoid similar credential stuffing attacks,” he says. “Moving forward, health organizations should implement password requirements, requiring a combination of letters, numbers, and symbols, as well as length and password change requirements to lower the risk that members’ passwords are being used across multiple websites.”
The Warby Parker fine falls on the lower end of CMPs but exceeds recent voluntary settlements for large breaches caused by external actors, which often slide in under $1 million, says Amy S. Leopard, JD, partner with the Bradley law firm in Nashville, TN.
“Here, it seems they could not reach acceptable settlement terms, so OCR imposed the fine based on its legal determination that HIPAA violations occurred,” she says. “The impasse may have arisen over the status of corrective action or ongoing monitoring requirements often integral to informal resolution that may result in more favorable payment terms as well as provisions denying liability for the alleged HIPAA violation.”
OCR considers a thorough security risk assessment (SRA) foundational to HIPAA compliance, Leopard notes.
“When a breach investigation reveals the SRA has been skipped or lacks depth, the breach may appear self-inflicted. Second, promptly fix problems,” she says. “Here, several credential-stuffing breaches occurred while they were already under investigation for the initial breach, so you can expect scrutiny of the entity’s measures taken in response to the original attack.”
After a breach, the organization should demonstrate prompt action, such as retraining staff, improving monitoring for improper access, and introducing safeguards like multifactor authentication, Leopard says. If OCR does not see clear, concrete steps, it is less forgiving when subsequent breaches of a similar nature occur, she says. Since OCR has announced that it is undertaking the third phase of HIPAA audits to review security compliance most relevant to hacking and ransomware, now is a good time to refresh your risk assessment and map it to a recognized security framework, such as the National Institute of Standards & Technology’s, to prevent and reduce fines, she says.
“Update your SRA annually. If OCR identifies deficiencies, take immediate action to address them. If you experience a HIPAA violation or a breach, promptly close the gaps to remediate the underlying issue,” Leopard says. “Showing OCR your corrective measures and a proactive posture goes a long way to reducing penalties and protecting your reputation.”
Sources
- Deborah A. Cmielewski, JD, Partner, Schenck Price, Florham Park, NJ. Telephone: (973) 540-7327. Email: [email protected].
- Amy S. Leopard, JD, Partner, Bradley, Nashville, TN. Telephone: (615) 252-2309. Email: [email protected].
- Henry Norwood, JD, Kaufman Dolowich, San Francisco. Telephone: (628) 219-9814. Email: [email protected].
Greg Freeman has worked with Relias Media and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Relias Media products. In addition to his work with Relias Media, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
The Office of Civil Rights recently announced a $1.5 million civil money penalty (CMP) for HIPAA violations against Warby Parker, the online retailer of prescription and non-prescription eyewear. The case highlights the need for a prompt and effective response after a breach.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content