Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack

Planned Parenthood Los Angeles (PPLA) is facing a class action lawsuit over a ransomware attack that was discovered on October 17, 2021. The cyberattack exposed the protected health information of more than 409,759 patients. In the notification letters sent to affected individuals on November 30, 2021, PPLA explained that its systems were breached on October 9, 2021, and the hackers had access to files containing PHI until October 17, when they were ejected from the network.

The files on the affected systems contained names, addresses, birth dates, diagnoses, treatment, and prescription information, and some files were exfiltrated from its network prior to file encryption. PPLA said it has found no evidence to suggest patient data has been misused.

A PPLA patient whose PHI was exposed in the data breach has taken legal action over the incident. The lawsuit was filed in the U.S. District Court of Central California and alleges the patient, and class members, have been placed at imminent risk of harm as a result of the theft of their sensitive health data, which included electronic health records that detail the procedures performed by PPLA such as abortions, treatment of sexually transmitted diseases, emergency contraception prescriptions, cancer screening information, other highly sensitive health data.

The lawsuit also references the timing of the attack, which coincided with Supreme Court debates on abortion, and says the exposure of information on abortion procedures at such a time makes it more likely that patients will suffer harm. In addition to facing an imminent risk of harm, affected individuals are likely to continue to suffer economic and actual harm and have lost control of their healthcare data. They have also incurred out-of-pocket expenses as a direct result of the data breach such as costs and time spent securing their accounts, monitoring for identity theft and fraud, and taking action to prevent misuse of their personal information. The lead plaintiff alleges she has suffered actual harm as a result of the breach, including stress and anxiety, and has also suffered damage and diminution in the value of her personal information.

While there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA), the lawsuit alleges PPLA has violated HIPAA by failing to ensure the confidentiality of patient data and insufficient cybersecurity measures had been put in place to prevent unauthorized PHI access. The lawsuit also states that this is the third data breach PPLA has suffered in the past three years.

In addition to the HIPAA violations, the lawsuit claims PPLA also violated the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).

The lawsuit seeks compensatory and statutory damages, injunctive relief, investment in cybersecurity measures to ensure further breaches do not occur, and for affected individuals to be provided with identity theft protection and restoration services and to be covered by an identity theft insurance policy.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.