HIPAA & Cybersecurity
Cybersecurity Hacking Investigation Results in $1.5 Million Penalty
OCR Imposes CMP Against Warby Parker
Warby Parker, Inc., a manufacturer and online retailer of prescription and non-prescription eyewear, filed a breach report to the Office of Civil Rights (OCR), the HIPAA enforcement agency.? OCR launched an investigation to reveal a cyberattack resulting in unauthorized access to PHI of approximately 200,000 individuals.
OCR’s investigation found evidence of three violations of the HIPAA Security Rule, including:
1.????? Failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems;
2.????? Failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and
3.????? Failure to implement procedures to regularly review records of information system activity.
The HIPAA Security Rule establishes national standards to protect individuals' electronic PHI (ePHI) that is created, received, used, disclosed, maintained, or transmitted by a covered entity. It also requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, availability, and security of ePHI.
The $1.5 million civil money penalty (CMP) paid by Warby Parker resolves OCR’s investigation concerning this breach investigation. Got to OCR’s Resolution Agreements page.? Warby Parker resolution was posted February 20, 2025 -
Free Resources Offer by CISA - America’s Cyber Defense Agency
As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks.
CISA offers the latest cybersecurity news, advisories, alerts, tools, and resources. This agency also tracks and shares information about the latest cybersecurity risks, attacks, and vulnerabilities, providing our nation with the tools and resources needed to defend against these threats.
Secure by Design
CISA provides an information page regarding products designed with Secure by Design principles.? These products implement principles to significantly decrease the number of exploitable flaws within their technology.? Out-of-the-box products should be secure with additional security features such as multi-factor authentication (MFA), logging, and single sign-on (SSO) available at no extra cost. ??
The American Institute of Healthcare Compliance (AIHC) is a Non-Profit Healthcare Training Organization and a licensing/certification partner with CMS.? AIHC offers HIPAA Privacy/Security Online Courses - Learn more.