The U.S. Department of Health and Human Services has imposed a $1.5 million penalty on American eyewear manufacturer and retailer Warby Parker due to its failure to properly secure its systems from a credential stuffing attack in 2018 that compromised almost 200,000 individuals' protected health information, reports The Record, a news site by cybersecurity firm Recorded Future.
Aside from failing to evaluate the possible risks and vulnerabilities surrounding health data confidentiality as of September, Warby Parker had also deferred conducting information system activity reviews and implementing security protections for sensitive data until a month after filing for separate breaches in April 2020 and June 2022, respectively, according to the HHS' Office for Civil Rights.
Such a development — which comes after separate fines against cyberattack-hit healthcare organizations Elgon Information Systems and Heritage Valley Health System over Health Insurance Portability and Accountability Act violations — follows the White House's pronouncements to include cybersecurity regulations in HIPAA prior to the changeover to the Trump administration.
