Amy Leopard Quoted in Relias Media on OCR Announcing Penalty for HIPAA Violations Against Warby Parker
Relias Media
Bradley attorney Amy Leopard was quoted in Relias Media on a recent announcement from the Office of Civil Rights (OCR) of a $1.5 million civil money penalty (CMP) for HIPAA violations against Warby Parker, which highlights the need for a prompt and effective response after a breach.
Warby Parker’s fine falls on the lower end of CMPs but exceeds recent voluntary settlements for large breaches caused by external actors, which often slide in under $1 million, said Leopard.
“Here, it seems they could not reach acceptable settlement terms, so OCR imposed the fine based on its legal determination that HIPAA violations occurred,” she explained. “The impasse may have arisen over the status of corrective action or ongoing monitoring requirements often integral to informal resolution that may result in more favorable payment terms as well as provisions denying liability for the alleged HIPAA violation.”
OCR considers a thorough security risk assessment (SRA) foundational to HIPAA compliance, Leopard noted.
“When a breach investigation reveals the SRA has been skipped or lacks depth, the breach may appear self-inflicted. Second, promptly fix problems,” she said. “Here, several credential-stuffing breaches occurred while they were already under investigation for the initial breach, so you can expect scrutiny of the entity’s measures taken in response to the original attack.”
After a breach, the organization should demonstrate prompt action, such as retraining staff, improving monitoring for improper access, and introducing safeguards like multifactor authentication, Leopard explained. If OCR does not see clear, concrete steps, it is less forgiving when subsequent breaches of a similar nature occur, she added. Since OCR has announced that it is undertaking the third phase of HIPAA audits to review security compliance most relevant to hacking and ransomware, now is a good time to refresh your risk assessment and map it to a recognized security framework, such as the National Institute of Standards & Technology’s, to prevent and reduce fines, she continued.
“Update your SRA annually. If OCR identifies deficiencies, take immediate action to address them. If you experience a HIPAA violation or a breach, promptly close the gaps to remediate the underlying issue,” Leopard said. “Showing OCR your corrective measures and a proactive posture goes a long way to reducing penalties and protecting your reputation.”
The full article, “OCR Imposes $1.5 Million Civil Monetary Penalty,” was published by Relias Media on June 1, 2025.
