HIPAA Blog

Warby Parker Pays $1.5 to Settle HIPAA Violation

I wasn't involved in this matter, so I don't have inside information and I'm just speculating here. But a couple of things stand out to me:

What makes sense:

the breach came about from a pretty common variety of illegal access: "credential stuffing," where someone gets access to one website, steals credentials (of either a massive amount of user credentials, but usually the credentials of some system administrator folks), and use those credentials to gain access to other websites. If it's user passwords that are stolen, there's not a great way to prevent the secondary action (most people will reuse passwords; get used to it), but if its administrator credentials, that reflects poorly on the IT folks: sysadmins should be (i) smarter than the average user, and (ii) willing to do the extra work of maintaining multiple passwords.
The failures are the typical failures that show up in most if not all breaches that result in OCR fines:

Lack of sufficient risk analysis. Folks, any business with personal information on more than 1,000 customers and more than $1 million in revenue should have conducted a breach risk analysis. Every IT person should be able to handle of at least the most rudimentary risk analysis. There's even a pretty easy-to-use tool on the OCR website.
Lack of sufficient security measures. It's always going to be an uphill battle if you haven't done a risk analysis, because it's basically impossible to show that your security measures are sufficient. But still, some effort is required here.
Failure to regularly review system activity. This is a new focus of OCR investigations, but it's a smart one, and you'd be wise to keep it in mind. Regularly reviewing (i) who is accessing your system, what they're looking at, and when, and (ii) the amount of data flowing in, within, and (particularly) out of your system, along with the times it is moving and where it's going, can often indicate that you have a problem well before the bad guys act.

What is unusual or unknown:

Is Warby Parker even a HIPAA covered entity? I did not know they actually did eye exams, but thought it was just a retailer of cool frames. Even if they are like Lens Crafters or Pearl Vision, that would make the frames/lenses retailer a business associate of the associated optical practices.
There is another "usual" problem that OCR notes when issuing fines that isn't mentioned here: lack of sufficient policies and procedures. I guess maybe Warby Parker has good policies, but just didn't execute.

Jeff [8:51 AM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template