Background
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently imposed a $1.5 million civil money penalty against Warby Parker, Inc., a manufacturer and online retailer of eyewear, for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This penalty stems from a cyberattack that resulted in unauthorized access to the protected health information (PHI) of nearly 200,000 individuals. The breach, which occurred between September 25, 2018, and November 30, 2018, involved a “credential stuffing” attack, where unauthorized third parties accessed customer accounts using usernames and passwords obtained from other breached websites. The compromised electronic PHI (ePHI) included customer names, mailing addresses, email addresses, payment card information, and eyewear prescription details.
OCR’s investigation revealed that Warby Parker failed to conduct an accurate and thorough risk analysis, implement sufficient security measures to reduce risks to ePHI, and regularly review records of information system activity. These failures led to the imposition of a $1.5 million penalty, underscoring the importance of robust cybersecurity practices for HIPAA-covered entities.
Key Recommendations
To mitigate or prevent cyber threats, OCR recommends that healthcare providers, health plans, clearinghouses, and business associates take the following nine steps:
- Identify ePHI Locations: Understand where ePHI is stored and how it enters, flows through, and leaves your organization’s information systems. This foundational step is critical for implementing targeted security measures.
- Integrate Risk Analysis and Management: Conduct regular and thorough risk analyses to identify potential risks and vulnerabilities to ePHI. Integrate risk management practices into your business processes to address identified risks.
- Implement Audit Controls: Ensure audit controls are in place to record and examine information system activity. This helps detect and respond to unauthorized access or suspicious activity.
- Regularly Review System Activity: Implement procedures to review records of information system activity regularly. This proactive approach can help identify and address security incidents before they escalate.
- Authenticate Access to ePHI: Utilize strong authentication mechanisms to ensure only authorized users can access ePHI. Multi-factor authentication (MFA) is a recommended practice.
- Encrypt ePHI: Encrypt ePHI both in transit and at rest to protect against unauthorized access. Encryption is a critical safeguard for mitigating the impact of data breaches.
- Learn from Incidents: Incorporate lessons from past security incidents into your organization’s overall security management process. Continuous improvement is key to staying ahead of evolving cyber threats.
- Provide Regular HIPAA Training: Offer staff regular, role-specific training. Ensure that employees understand their responsibilities in protecting ePHI and recognize potential security threats.
- Stay Informed and Compliant: Keep abreast of OCR guidance and updates to the HIPAA Privacy, Security, and Breach Notification Rules. Regularly review and update your policies and procedures to ensure compliance.
Conclusion
The Warby Parker case is a stark reminder of the importance of robust cybersecurity practices for HIPAA-covered entities. By taking proactive steps to identify risks, implement safeguards, and train employees, healthcare organizations can better protect ePHI and avoid costly penalties. OCR’s enforcement actions highlight the need for vigilance and compliance with the HIPAA Security Rule to safeguard patient information and maintain trust.
For more information, visit the following resources:
