Planned Parenthood Los Angeles began sending notification letters this week to patients whose information may have been affected by a cyber incident in October.
According to the letter, which was posted on the California Office of Attorney General’s data security breach website, PPLA identified suspicious activity on its computer network on October 17.
After taking systems offline, notifying law enforcement and engaging a third-party cybersecurity firm, the healthcare facility determined that an unauthorized person had gained access to the network between October 9 and October 17, installed ransomware and had exfiltrated some files from the system during that time.
Planned Parenthood spokesperson John Erickson told Healthcare IT News that about 400,000 patients’ information was contained in the documents.
“At this time, we have no evidence that any information involved in this incident has been used for fraudulent purposes,” said Erickson. Erickson said that health centers had remained open, with patient care operations continuing, throughout the incident.
WHY IT MATTERS
According to the facility, the files involved included patient names, as well as one or more of the following:
- Insurance information
- Dates of birth
- Clinical information, such as diagnosis, procedure and/or prescription information
In many ways, the attack follows the blueprint set by other bad actors who have targeted healthcare facilities.
But some cyber experts said the elevated political passions around Planned Parenthood, and reproductive healthcare in general, may mean the incident carries extra weight.
“This is devastating news at a time when political tensions are raging as the Supreme Court actively debates a direct challenge to 1973 Roe v. Wade,” said Jane Grafton, vice president at the cyber security company Gurucul.
Grafton was referring to the oral arguments heard before the highest court in Dobbs v. Jackson Women’s Health Organization on Wednesday.
Although Planned Parenthood Los Angeles is not directly involved with that case, the association between its parent organization and abortion care raised concerns about its patients’ personal information, particularly considering the harassment providers have faced.
“Women’s personal procedures and diagnosis are just that: personal. Having them stolen for potential exposure puts women in the political crosshairs,” said Grafton. “Securing medical records has never been more important. We can only hope that this information stays out of the public eye.”
“Given that not only was standard identity information stolen, but the theft was coupled with medical background and procedure data, the ramifications of malicious use of this data are easy to imagine,” said Garret Grajek, CEO of the identity governance vendor YouAttest.
THE LARGER TREND
Although 400,000 is a substantial number of patient records, the breach is far from the most severe reported in 2021.
That dubious honor goes to Florida Healthy Kids Corporation, which found “significant vulnerabilities” on its site since 2013 – potentially leading to the exposure of Social Security numbers, dates of birth, names, addresses and financial information for 3.5 million people.
Still, it’s possible PPLA could face legal action over the breach if affected individuals feel their data wasn’t adequately protected.
It wouldn’t be alone in that, either: In October, a Florida resident brought a lawsuit against UF Health Central Florida after an incident potentially exposed her information, as well as that of more than 700,000 people.
ON THE RECORD
“Ransomware continues to be a major issue for organizations around the world, especially now that data is stolen before being encrypted,” said Erich Kron, security awareness advocate for KnowBe4, in a statement.
“The most common method for spreading ransomware is email phishing,” he added. “Organizations that want to protect themselves against these attacks should focus on prevention measures such as training the employees to spot and report phishing emails, including sending simulated attacks to help them polish their skills. Organizations should also ensure that email filters are in place and as a last resort to recover from the outage, that system backups are tested and kept isolated from the network.”