Report on Patient Privacy 25, no. 3 (March, 2025)
Nearly six years to the day that Warby Parker reported a breach affecting nearly 200,000 individuals, the HHS Office for Civil Rights (OCR) imposed a $1.5 million fine on the eyewear giant. Investigated by OCR under the Biden administration, the fine is the first HIPAA enforcement action issued since President Donald Trump was inaugurated, but it is the seventh the agency has announced since the start of this year.
Prior to her resignation sometime in January, then-OCR Director Melanie Fontes Rainer announced six separate enforcement actions, all related to HIPAA.
Acting OCR Director Anthony Archeval announced the Warby Parker fine on Feb. 20. It was imposed on Dec. 11 under Fontes Rainer, according to the notice of final determination the agency posted online. OCR’s announcement mirrors those issued under Fontes Rainer and her predecessors, but there are noteworthy changes among OCR’s recommendations for covered entities (CEs) and business associates (BAs) that the agency typically lists at the end of its enforcement news releases. For example, OCR is qualifying its recommendation for encryption, now stating it should be implemented “when appropriate.” [1]
Because the Warby Parker case is a holdover from the previous administration, it’s perhaps not a clear indication that HIPAA will be a primary focus under Trump’s OCR. The agency’s announcement of the fine includes a statement toward the end that is identical to what appears in Biden-era announcements: “OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.”
But HIPAA CEs, BAs and others looking for changes between the two administrations have other developments to monitor. In recent weeks, OCR described three new efforts. In its words, it is taking actions to “keep men out of women’s sports,” “protect minors and restore biological truth” and “combat antisemitism.” Specifically:
-
On Feb. 21, Archeval announced the “initiation of a compliance review of the Maine Department of Education, including the University of Maine System, based on information that Maine intends to defy” an executive order it said prohibits “biological males to compete in women’s sports. The investigation will examine whether the State of Maine engaged in discrimination on the basis of sex under Title IX of the Education Amendments of 1972, as amended, and its HHS implementing regulation.”[2] RPP asked Archeval, HHS and OCR for the basis of this review, given that there was no mention of HHS funds being utilized, but did not receive a reply. The announcement said the agency’s “action is part of a larger initiative to defend women and children and restore biological truth to the federal government.”
-
On Feb. 20, OCR announced it had “rescinded prior Administration guidance entitled ‘HHS Notice and Guidance on Gender Affirming Care, Civil Rights, and Patient Privacy,’ issued March 2, 2022. This rescission supports Administration policy in Executive Order 14187 that HHS will not promote, assist, or support ‘the so-called transition’ of a child from one sex to another, and it will rigorously enforce all laws that prohibit or limit these destructive and life-altering procedures.”[3]
-
On Feb. 3, HHS, OCR and the Department of Justice announced the “initiation of compliance reviews for four medical schools following reports of antisemitic incidents during their 2024 commencement ceremonies. The investigations will examine whether the medical schools complied with their obligations under Title VI of the Civil Rights Act of 1964 and Section 1557 of the Affordable Care Act to not discriminate on the basis of race, color, or national origin.” Reviews of the schools—which OCR did not identify—were triggered by “reported incidents of antisemitism and displays of offensive symbols and messaging during the ceremonies, including alleged expressions of support for terrorist organizations. These reports raise serious concerns about potential violations of civil rights laws that protect students from discrimination based on race, color, and national origin.”[4]
It is not clear when Archeval was appointed; he was previously director of the Health Resources and Services Administration’s Office of Civil Rights, Diversity and Inclusion, “which focused on equal employment opportunity, accessibility, and diversity and inclusion,” according to a webpage that has since been removed. As of RPP’s deadline, Trump had not appointed a permanent OCR director (the post does not require Senate confirmation). The position was vacant for eight months following President Joe Biden’s inauguration in 2021.
An OCR focus from the first Trump administration has been renewed. A week after Trump’s inauguration, then-Acting HHS Secretary Dorothy Fink said it will be “a priority” of HHS to “strengthen enforcement” of laws that “protect the fundamental and unalienable rights of conscience and religious exercise.” Her Jan. 27 statement added, “to this end, the Office for Civil Rights will reevaluate its regulations and guidance pertaining to Federal laws on conscience and religious exercise.”[5]
Robert F. Kennedy Jr. became HHS secretary on Feb. 13; he has not addressed medical privacy or OCR publicly, it appears. Kennedy posted a two-and-a half-minute video on YouTube, which repeats statements he made during his confirmation hearings, namely that HHS will focus on the sources of and treatments for chronic illness. He did not mention any of these new focus areas. On the same day, Trump created the President’s Make America Healthy Again Commission and named Kennedy chair.
Hackers Used Credentials From Other Breaches
Details about Warby Parker’s fine are contained in OCR’s Sept. 5, 2024, notice of proposed determination, which was sent to Chris Utecht, Warby Parker’s general counsel. Utech did not respond to repeated requests for comment.[6]
In the notice, OCR referred to Warby Parker as a “health care provider” and stated that it had some 200 stores employing more than 300 people. The stores provide eye exams and accept insurance. Warby Parker also has a notice of privacy practices posted on its website (last updated July 20, 2021).
Warby Parker’s Dec. 21, 2018, sample breach notification on file with the California Department of Justice explains what brought OCR to its door. “Our team noticed unusual efforts to log in to Warby Parker customer accounts. We began to investigate immediately, and so far we’ve determined that unauthorized parties may have obtained your username and password elsewhere—most likely through security breaches at other companies—and may have used this information to attempt to log in to your Warby Parker account. Login attempts were made to a limited number of Warby Parker accounts from late September to late November 2018,” officials said.
The notice repeatedly refers to login “attempts” and does not state whether these were successful. It notes, however, that “if you had a payment card stored on your account, the unauthorized users may have been able to place an order on your warbyparker.com account.” Warby Parker offered individuals nothing other than advice on how to monitor their credit status and said it was requiring website users to change their passwords.
OCR Cites Three Violations
Warby Parker’s entry on OCR’s breach notification portal states that 197,986 people were affected, a number that reflects an update it made two years later, according to OCR. The agency also said that “in September 2019, January 2020, April 2020, and June 2022, Warby Parker experienced subsequent credential stuffing attacks, resulting in further unauthorized login activity leading to the breach of protected health information for 484 customers’ accounts.”
OCR said its investigation begun in 2019 found that “to date, Warby Parker has failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI it held (see 45 C.F.R. § 164.308(a)(1)(ii)(A)).” This led to a $700,000 fine.
It also “did not implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level until July 29, 2022 (see 45 C.F.R. § 164.308(a)(1)(ii)(B)).” These “risk management” failures contributed $500,000 of the $1.5 million fine.
Finally, Warby Parker, according to OCR, did not “implement procedures to regularly review records of information system activity review, such as audit logs, access reports, and security incident tracking reports until May 12, 2020 (see 45 C.F.R. § 164.308(a)(1)(ii)(D)).” OCR calculated a fine of $300,00 for this. It applied annual caps to all three violations, and all were in the “reasonable cause,” or lowest tier, category. The total fine without caps would have been $5,945,200 instead of $1.5 million.
Once Again, No Credit for RSPs
The agency said it tried to resolve the investigation “informally” over a two-month period beginning March 14, 2024. A settlement agreement—typically accompanied by a multiyear corrective action plan (CAP)—is what OCR refers to as an informal resolution. CEs have increasingly refused to settle and instead are accepting fines because they do not want to implement CAPs that have grown ever-broader.
In fact, that’s exactly what Children’s Hospital Colorado told RPP led to a $548,265 fine. The hospital fought the imposition of fines for nearly seven years, never believed there was a breach, and criticized OCR for wasting resources that it said should have been devoted to patient care. Officials told RPP the CAP OCR proposed was “unfeasible” and that the proposed settlement amount—which it did not disclose—would still have been “significant.”[7]
OCR also didn’t give Warby Parker a break on the fine related to whether it had recognized security practices (RSPs) in place the prior 12 months; the agency disputed Warby Parker’s contention that these were implemented, as it had with Children’s. CEs and those representing them have complained OCR doesn’t explain the reasoning behind its RSP decisions, noting that despite assurances and requirements, it has never issued guidance on this topic.
BA Review, MFA Removed
As noted, OCR’s announcement of the fine concluded with a list of recommended actions, a practice that characterized Fontes Rainer’s enforcement news releases. But two differences in the Warby Parker announcement may be significant, including a possible softening toward the use of encryption for electronic protected health information (ePHI).
The first recommended action listed in Fontes Rainer’s announcements was: “Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.” This does not appear in the Warby Parker announcement.
Instead, a new first bullet states: “Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.”
A recommendation regarding multi-factor authentication (MFA) has been revised. The previous bullet said: “Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.” Multi-factor authentication has been deleted and replaced with the phrase “mechanisms to authenticate information.”
Regarding encryption—long an important but controversial “addressable” standard the industry was initially slow to embrace—Fontes Rainer’s announcements recommended CEs and BAs “encrypt ePHI to guard against unauthorized access to ePHI.”
The Warby Parker announcement states (changes in bold): “Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.” OCR’s revised draft Security Rule, issued in January as a notice of proposed rulemaking, does away with addressable vs. required security standards. It requires encryption and no longer obligates CEs and BAs to assess whether implementation is reasonable and appropriate, in contrast to the current Security Rule. Limited exceptions to the use of encryption under the proposed rule include when a “technology asset currently used by a regulated entity that does not support encryption according to prevailing cryptographic standards.”
1 U.S. Department of Health and Human Services, Office for Civil Rights, “HHS Office for Civil Rights Imposes a $1,500,000 Civil Money Penalty Against Warby Parker in HIPAA Cybersecurity Hacking Investigation,” news release, February 20, 2025, https://bit.ly/3Xc26Ao.
2 U.S. Department of Health and Human Services, Office for Civil Rights, “HHS’ Civil Rights Office Acts to Keep Men Out of Women’s Sports,” news release, February 21, 2025, https://bit.ly/41CQZ69.
3 U.S. Department of Health and Human Services, Office for Civil Rights, “HHS’ Civil Rights Office Takes Action to Support President Trump’s Executive Orders to Protect Minors and Restore Biological Truth,” news release, February 20, 2025, https://bit.ly/4icq9aq.
4 U.S. Department of Health and Human Services, Office for Civil Rights, “HHS’ Civil Rights Office Acts Swiftly to Combat Antisemitism,” news release, February 3, 2025, https://bit.ly/4jGOh6u.
5 U.S. Department of Health and Human Services, “Statement from Dr. Dorothy Fink, Acting Secretary of the U.S. Department of Health and Human Services,” January 27, 2025, https://bit.ly/3CHolHa.
6 U.S. Department of Health and Human Services, Office for Civil Rights, “Notice of Proposed Determination” issued to Chris Utecht, General Counsel Warby Parker, Inc., September 5, 2024, https://bit.ly/4kqiYgP.
7 Theresa Defino, “We’ll Take the Fine: OCR’s ‘Unwarranted,’ Costly Demands Prompted Hospital’s $538K Payment,” Report on Patient Privacy 25, no. 2 (February 2025), https://bit.ly/4bmRvZ1.
[View source.]
