Cybersecurity report cards are in, and let’s just say—most companies would be grounded if their IT security grades were real school grades. With over 80% of Fortune 500s scoring a D or F, and healthcare companies hovering around the danger zone, it’s clear that many organizations are securing data about as well as a cardboard vault. Just ask Warby Parker, which racked up multiple breaches over the years while seemingly skipping Cybersecurity 101. In this episode, we break down what these cybersecurity scores mean, how they were calculated, and what companies should be doing before they end up in the digital hall of shame.
In this episode:
Big Money Breaches & Bad Security Grades – Ep 498
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Big Money Breaches & Bad Security Grades
[07:06]OCR Imposes a 1.5M CMP Against Warby Parker in HIPAA Cybersecurity Hacking Investigation – Proposed
OCR Imposes a 1.5M CMP Against Warby Parker in HIPAA Cybersecurity Hacking Investigation – Final
Warby Parker experienced a credential stuffing attack on its website between September 25, 2018 and November 30, 2018. The company discovered the attack on November 26, 2018, after noticing unusual login attempts. As a result of the attack, unauthorized third parties gained access to some Warby Parker customer accounts.
Warby Parker experienced multiple credential stuffing attacks between 2019 and 2022, resulting in unauthorized logins and the exposure of 484 customers’ protected health information. Specific attack dates include September 2019, January and April 2020, and June 2022.
The 2018 Warby Parker breach impacted 197,986 people. Although a significant number of individuals were affected, this breach was not among the largest ones reported annually to OCR. OCR’s investigation found three longstanding Security Rule violations. Warby Parker addressed two of these violations (Risk Management and Information Security Activity Review) only during the OCR investigation, while one (Risk Analysis) remains unaddressed.
Warby Parker had an opportunity to prove to the OCR that it had implemented RecSec (RSPs) by January 12, 2024. Warby Parker responded on February 5, 2024. However, after reviewing the submitted data, policies, and procedures, OCR determined that Warby Parker had not adequately demonstrated that it had substantially implemented RSPs in the prior 12 months.
“Identifying and addressing potential risks and vulnerabilities to electronic protected health information is necessary for effective cybersecurity and compliance with the HIPAA Security Rule,” said OCR Acting Director Anthony Archeval. “Protecting individuals’ electronic health information means regulated entities need to be vigilant in implementing and complying with the Security Rule requirements before they experience a breach.”
Warby Parker’s $1.5M OCR Penalty
- Warby Parker was hit with a $1.5M penalty after a credential stuffing attack exposed nearly 200,000 individuals’ PHI.
- OCR found three HIPAA Security Rule violations, including failure to conduct risk analysis and monitor system activity.
- Multiple breaches over several years (2018-2022) with no adequate security improvements.
- Warby Parker waived its right to a hearing, accepting the penalty.
- Lessons learned: Risk assessments, monitoring, and multi-factor authentication (MFA) are a must to avoid these fines.
- OCR’s warning: Be proactive, not reactive, or risk paying big bucks.
Report: 84% of Fortune 500 companies scored a D or worse for their cybersecurity efforts | Cybernews
“The healthcare industry is also particularly vulnerable, with 55% of the scored companies receiving a D rating and 31% an F rating. Only 10% of the companies analyzed in the Healthcare and Pharmaceuticals category achieved an A grade. Overall, the healthcare sector received an average security score of 70.”
Cybersecurity Report – Fortune 500’s Failing Grades
- Fortune 500 companies scored “D” or worse in cybersecurity, including major healthcare players.
- The scoring method focuses on external factors like patching, email security, SSL/TLS config, and breach history.
- Healthcare’s bad grades: Why external scans alone aren’t enough & what’s missing.
- Could we create a better scoring system for clients that includes internal security measures?
- What should be included? MFA usage, employee training, internal logging, real risk management.
- Takeaway: Just because a company looks secure on the outside doesn’t mean they aren’t a hot mess inside.
If this cybersecurity report teaches us anything, it’s that “good enough” security often isn’t actually good enough. With 84% of Fortune 500 companies scoring a D or F, and healthcare security hanging by a thread, it’s clear that most organizations are leaving the door wide open for cyber threats. Just ask Warby Parker, which proved that ignoring security doesn’t make the problem go away—it just gets you breached again and again. The real question is: will companies step up and fix their security before disaster strikes, or will they just keep hoping for the best?
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
