The Office for Civil Rights has been investigating Warby Parker for more than two years over its handling of the 2018 cybersecurity attack on thousands of its customer accounts, according to a disclosure the company filed ahead of its public offering expected later this week.
The investigation stemmed from an incident three years ago, in which “unauthorized parties” allegedly tried to access nearly 200,000 Warby Parker customer accounts for two months using username and password combinations from unrelated data breaches. At the time, Warby Parker had disclosed that hackers may have accessed stored prescriptions and customer profile data, although it hadn’t found proof this occurred.
Though Warby Parker disclosed the attack in 2018, the investigation hadn’t been made public until recently. Warby Parker’s S-1, a disclosure document all companies must file with the Securities Exchange Commission ahead of a public offering, shows that OCR, a division of the U.S. Department of Health and Human Services, opened an investigation and requested information about the incident in 2019.
The specific nature or potential violations of the investigation are not immediately clear, although the filing states that the inquiry is related to Warby Parker’s compliance with HIPAA privacy, security, and breach notification rules, which require companies to follow certain guidelines when unsecured health information is breached. Spokespersons at the OCR and Warby Parker didn’t respond to immediate requests for comment about the investigation.
OCR may request a settlement and a one- to three-year corrective action plan, among other actions, according to Warby Parker’s SEC filing. “We continue to work on a resolution with OCR,” the company said in the disclosure.
At the time of the incident, Warby Parker said it had reset passwords for the impacted accounts and conducted an internal investigation. It also hired external cybersecurity experts to assist their review of the incident and reported it to law enforcement.
Cybersecurity incidents and hacking attempts have skyrocketed since the beginning of the pandemic—spanning companies, government agencies, schools, and hospitals. Warby Parker mentioned in the filing that it may be more vulnerable to security breaches in a remote work environment: “While we employ a number of security measures designed to prevent, detect, and mitigate potential for harm to our users from the theft of or misuse of user credentials on our network, these measures may not be effective in every instance.”
More finance coverage from Fortune:
- How a mythical $1 trillion coin became everyone’s favorite solution to the U.S. debt problem
- Bitcoin has another major pollution problem brewing
- NBA star Stephen Curry talks book clubs and investment in reading subscription service Literati
- Correction protection: Surprising ways to cushion a portfolio during a downturn
- China’s Bitcoin ban could be a buying opportunity
Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.