HIPAA Enforcement Continues to Be Hot in 2025

Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced its sixth HIPAA enforcement action of the year. Just two months into 2025 and the total amount of settlements and penalties is already over $5 million.

Warby Parker, Inc., a manufacturer and e-retailer of prescription and non-prescription eyewear, was assessed a $1.5 million civil monetary penalty for a 2018 credential stuffing attack on customer accounts impacting about 200,000 individuals. It then suffered four additional credential stuffing attacks between 2019 and 2022.

Five cyber attacks of the same variety over a five-year period certainly indicate a lack of adequate security measures. OCR’s investigation revealed a failure to conduct an adequate security risk analysis, to implement security measures timely and to monitor system activity. Fueling the large CMP here was the fact that, as of September 2024, Warby Parker still had not performed an adequate security risk analysis and it did not implement security measures to address the on-going security issues until after the five attacks.

The 2025 HIPAA enforcement year is on pace to eclipse the total amounts in previous years well before the half year mark. The total thus far is $5,077,750. Here’s a summary of the last six years:

	2024	2023	2022	2021	2020	2019
Announced Resolutions	16	13	22	14	19	10
Amount collected	$9,263,846	$4,176,500	$2,170,140	$5,982,150	$13,554,900	$12,274,000
Civil Money Penalties (CMPs) v. Settlements	7 CMPs; 9 settlements	All settlements	2 CMP; 20 settlements	1 CMP; 13 settlements	All settlements	2 CMPs; 8 settlements
Most common issue	Risk Analysis (10)	Risk Analysis (6)	Right of Access (17)	Right of Access (12)	Right of Access (11)	Risk Analysis (6)
Right of Access	$420,000 (5)	$271,500 (4)	$859,000 (17)	$857,150 (12)	$537,500 (11)	$170,000 (2)
Risk Analysis	$8,808,265 (10)	$3,555,000 (6)	$875,000 (1)	$5,125,000 (2)	$10,977,400 (6)	$8,365,500 (6)