Warby Parker Faces $1.5 Million Fine After Data Breach

Data security is a vital to any company storing customer or employee data. Particularly when that data is personally identifiable or sensitive. Eyewear manufacturer and retailer Warby Parker was recently hit with a $1.5 million civil money penalty (CMP) from the Department of Health and Human Services (HHS). HHS found that Warby Parker mishandled customers’ data, violating the Health Insurance Portability and Accountability Act (HIPPA). A recent memo from Saul Ewing describes the violation:

“OCR’s investigation found evidence of three violations of the HIPAA Security Rule: a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities; a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and a failure to implement procedures to regularly review records of information system activity.”

Data security and HIPPA compliance are clear priorities for companies that collect and store HIPPA-covered information. However, even companies not subject to federal data handling regulations should be aware of the myriad of state data privacy laws that have entered into force in recent years. 2024 saw five state privacy laws enacted, and eight more have come into effect so far in 2025. Many of these laws require companies to take risk mitigation measures like conducting privacy impact assessments (PIAs). Companies should be aware of the types of data they are collecting and understand the unique compliance risks posed by that data. Reviewing data handling processes and bringing data management practices in line with specific state and federal statutes is critical to avoiding enforcement penalties.