The Cost of Neglecting Reasonable Security

Description

Regulatory agencies and courts don’t expect your organization to implement every possible security measure, but they do require you to take reasonable steps to protect your environment. A prime example is eyewear retailer Warby Parker, which was fined $1.5 million by the Department of Health and Human Services on February 20, 2025, for failing to meet security compliance standards. The imposed fine is regarding a series of cyberattacks going all the back to 2018. The timeline of the incidents is as follows:

• Between September 25 and November 30, a credential stuffing attack occurred, allowing one or more unauthorized parties to gain access to the company’s systems.

• Warby Parker files a breach report with the Office of Civil Rights on December 20, 2018.

• On September 16, 2019, OCR formally notified Warby Parker in writing of the initiation of an investigation into the reported breach and the company’s compliance with HIPAA and the Breach Notification Rule.

• Warber Parker issues an amended report on September 18, 2020, informing OCR that more than 197,000 individuals were affected by the initial attack. The compromised information included customer names, mailing addresses, email addresses and the last four digits of any payment card information stored on the customer’s account.

• Subsequent credential stuffing attacks take place in September 2019, January 2020, and June 2022, resulting in further unauthorized access of the protected health information for 484 customers’ accounts.

• On March 14, 2024, Warby Parker received the results of the investigation and was instructed to resolve the supposed HIPAA violations informally.

Reasons for the Fine

The OCR imposes Civil Money Penalties (CMPs) on organizations that fail to comply with HIPAA regulations, particularly the HIPAA Security Rule in this case. These penalties are based on the severity of the violation, the organization’s level of culpability, and the potential or actual harm caused by the breach.

In the case of Warby Parker, OCR determined that the “reasonable cause” penalty tier was appropriate for their violation, as they failed to implement proper security measures in a timely manner. Some of the specific findings include:

• Warby Parker failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports until May 12, 2020.

• Warby Parker did not implement sufficient security measures to reduce risks and vulnerabilities to a reasonable and appropriate level until July 29, 2022.

As of the ruling date, Warby Parker had not conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic Protected Health Information (ePHI) it held.

Call to Action

A credential stuffing attack is a type of cybersecurity attack where hackers use stolen username and password combinations from one service to attempt to log into other unrelated services. These attacks are made possible because many people reuse the same password across multiple websites and accounts. Here are some available security measures that organizations can take to prevent these common attacks:

• Implement multifactor authentication (MFA) that requires an additional verification method beyond passwords.

• Restrict the number of login attempts within a time period and add delays after consecutive failed login attempts.

• Monitor for unexpected traffic spikes and patterns consistent with credential stuffing attacks.

• Set up alerts for abnormal activities and regularly inspect logs.

In relation to HIPAA breach notifications, breaches affecting 500 or more individuals must comply with the following:

• Covered entities must notify the Department of Health and Human Services (HHS) without unreasonable delay and no later than 60 calendar days after discovery of the breach.

• Affected individuals must also be notified within the same 60-day timeframe.

• Organizations must notify prominent media outlets serving the state or jurisdiction where the breach occurred, also within 60 calendar days of discovery.

If you’re seeking clarity on what constitutes “reasonable security measures” for your organization or need guidance on compliance regulations such as HIPAA or other major regulatory frameworks, consider reaching out to HALOCK Security Labs. Our team of seasoned security and compliance experts can provide a comprehensive assessment of your current security posture and offer tailored education on relevant compliance requirements.