A data breach that affected nearly half a million patients at Planned Parenthood Los Angeles (PPLA) is being blamed on a ransomware attack, according a report by the Los Angeles Times. A December 2021 review of the Office for Civil Rights (OCR) notification portal reveals that the PPLA “hacking incident” affected 409,759 Planned Parenthood clients.
In an email alert sent to its clients PPLA indicated that on October 17, PPLA identified “suspicious activity” on its “computer network.” Planned Parenthood then claimed it immediately took its “systems offline, notified law enforcement, and a third-party cybersecurity firm was engaged to assist in our investigation.”
The investigation determined that “an unauthorized person gained access to our network between October 9, 2021 and October 17, 2021, and exfiltrated some files from our systems during that time,” according to PPLA, which later concluded that the files which were involved contained patient names, insurance information, dates of birth, and “clinical information, such as diagnosis, procedure, and/or prescription information.”
According to the LA Times, Planned Parenthood spokesperson John Erickson “did not specify which type of malware was detected and did not say whether Planned Parenthood paid a ransom.”
“We take safeguarding patients’ information extremely seriously, and have taken steps to address this incident,” Erickson told the paper. “Our focus now is on notifying and supporting those patients whose information was involved in this incident.”
Planned Parenthood of Metro Washington
A separate “hacking incident” involving 500 patients was reported in November of 2020 at Planned Parenthood of Metro Washington, according to the OCR notification portal.
“After an extensive forensic investigation, on October 21, 2020 we determined that unauthorized actors gained access to our network and between August 27, 2020 and October 8, 2020 acquired copies of documents that contained some patient information,” Planned Parenthood’s Washington affiliate wrote in a public notice on its website about that incident.
Breach at Planned Parenthood vendor Blackbaud
Last year, Planned Parenthood also posted a notice regarding a security breach at Blackbaud, a data management software and cloud computing software vendor of Planned Parenthood Federation of America and several affiliates, which “compromised some donor data” for multiple Planned Parenthood affiliates across the nation.
Past Privacy Breaches
Live Action News previously documented multiple violations of privacy (2016, 2017) under the federal HIPAA law taking place at Planned Parenthood (PP), including massive privacy breaches due to PP’s negligence. This exposed thousands of PP patients.
When Planned Parenthood closed its facility in Dubuque, Iowa, in April of 2016, it carelessly left thousands of private medical records in the center for months, while the building was being shown and eventually sold. PP of the Heartland reported the breach, affecting 2,506 individuals, in July of 2016. In 2018, PP of the Heartland reported another privacy breach of 515 patients at its Bettendorf center.
Planned Parenthood of Southwest Ohio Region at PP Elizabeth Campbell Center in Cincinnati left a storage location that housed private prescription medical logs unlocked. As a result, the custodian placed the logs containing personal health information in the trash dumpster, which was later emptied by the trash collector. According to a response from PP’s attorneys, the logs contained patient names, dates of birth, lab results and medication, affecting at least 5,000 individuals.
In August of 2016, Planned Parenthood of Greater Washington and North Idaho (PPGWNI), notified patients about a data security “error” of over 10,000 patients, in which e-mails were “inadvertently sent to the wrong addresses.” An online post by PP referred to it as an “isolated occurrence.”
Planned Parenthood of Illinois
TAB, a records management company working with the Planned Parenthood Federation of America for over a decade, identified “some serious problems” with the records of Planned Parenthood of Illinois, which oversees 17 branch locations. In TAB’s document, they suggested that the corporation’s records were getting lost in the mail and seen by those not employed by PP.
A 2013 Office for Civil Rights (OCR) complaint alleges that a PP staffer in Illinois disclosed medical information to a third party, who posted a message to Facebook which read, “I find it unbelievable that you are scared to cross the street, but were brave enough to kill your own embryo.” OCR decided to resolve case# 14-168325 informally with technical assistance to PP and closed the case without further action.
Planned Parenthood California
In 2014, a Planned Parenthood client alleged she went to PP for the abortion pill, and a PP staff member texted a mutual friend to tell the friend the patient was seen at PP for an abortion. OCR decided to resolve the matter informally with technical assistance to PP and closed case#14-191232 without further action.
According to HIPAA Journal, in 2016, “the head of the House Select Investigative Panel tasked with investigating the trade of baby body parts by abortion clinics wrote to the director of the Department of Health and Human Services’ Office for Civil Rights requesting an investigation into violations of the Health Insurance Portability and Accountability Act (HIPAA). It is alleged that PP – Planned Parenthood Mar Monte (PPMM) and Planned Parenthood Shasta Pacific (PPSP) – and Family Planning Specialists Medical Group (FPS) improperly disclosed the protected health information (PHI) and personally identifiable information (PII) of female patients to StemExpress.”
Planned Parenthood Colorado
Live Action News previously reported how “[David] Daleiden testified that JR Gladstone, research coordinator at Planned Parenthood Rocky Mountains, showed him patient records…. Patient files are protected by HIPAA privacy laws…. This testimony was stricken from the record by Judge William Orrick III.”
Planned Parenthood Minnesota
In a lawsuit involving employee misconduct, Planned Parenthood of Minnesota, North Dakota, South Dakota HR manager testified that a PP call center agent was terminated for a reportable HIPAA violation, “A call center supervisor testified that he received an e-mail from another employee… stating that [PP agent] had sent her a chat message stating that [PP agent] had just scheduled E.S.’s cousin as a patient, with a follow-up message stating the cousin’s name.”
The State of Washington’s Consumer Protection Search for Consumer Complaints previously showed two complaints lodged against Planned Parenthood for “privacy abuse” in 2013 and 2014.
This OCR privacy complaint (image below) shows evidence that PP clients — whose parents have insurance to cover health related costs — are sometimes counseled to bill the taxpayer via Medicaid instead. In 2014, this PP client alleged PP failed to tell her that if she signed up for Medicaid the bill would first go through her father’s health insurance. Instead the client alleges PP told them the visit would be totally confidential and the father would not be notified.
Privacy breaches and complaints were also reported at:
- PP of South Atlantic
- PP of The North Valley
- PP Napa Center
- PP Utica New York
- PP of Northeast Ohio
- PP of Delaware
- PP in Chicago, Illinois
- PP of Trexlertown, Pennsylvania
- PP Gulf Coast
- PPP Mission Bay
- PP Moreno Valley Center
“Like” Live Action News on Facebook for more pro-life news and commentary!