Planned Parenthood Los Angeles (PPLA) has reached a “$6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients,” reported the HIPAA Journal in April.
The data breach was blamed on a ransomware attack, according a report by the Los Angeles Times.
In an email alert sent to its clients, PPLA indicated that on October 17, PPLA identified “suspicious activity” on its “computer network,” as Live Action News previously reported. Planned Parenthood then claimed it immediately took its “systems offline, notified law enforcement, and a third-party cybersecurity firm was engaged to assist in our investigation.”
The investigation determined that “an unauthorized person gained access to our network between October 9, 2021 and October 17, 2021, and exfiltrated some files from our systems during that time,” according to PPLA, which later concluded that the files which were involved contained patient names, insurance information, dates of birth, and “clinical information, such as diagnosis, procedure, and/or prescription information.”
“The covered entity (CE), Planned Parenthood Los Angeles, reported that it experienced a ransomware attack that compromised the protected health information (PHI) of 409,759 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, diagnoses/conditions, lab results, medications prescribed, and health insurance information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach the CE strengthened its administrative and technical safeguards,” the archived Office for Civil Rights (OCR) notification stated.
CLASS ACTION LAWSUIT
Shortly after receiving the notice of the breach, a class action lawsuit was filed against Planned Parenthood in the U.S. District Court of Central California.
The lawsuit alleged “violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA),” according to the HIPAA Journal.
In addition, the lawsuit claimed that “Despite discovering the Data Breach on October 17, 2021 (more than one week after the unauthorized parties first accessed PPLA’s systems), not until November 4, 2021, did PPLA determine that the stolen files included its patients’ Confidential Information. And, PPLA failed to provide notice to its patients until November 30, 2021, at the earliest—more than one month after PPLA had detected the Data Breach” (emphasis added).
PPLA’s client claimed to have suffered from “stress and anxiety as a result of the Data Breach and from the loss of her privacy” and “a present injury from the existing and continuing risk of fraud, identity theft, and misuse resulting from her personal information… being placed in the hands of unauthorized third parties,” the lawsuit stated.
Multiple Plaintiffs also claimed in the suit that they “would not have used PPLA had [they] known that it would expose, or allow to be exposed, [their] Confidential Information, making it available to unauthorized parties.”
PLANNED PARENTHOOD LOS ANGELES $6 MILLION SETTLEMENT
While, according to HIPAA Journal, PPLA chose to settle the lawsuit with no admission of wrongdoing, the plaintiffs allege that Planned Parenthood “acted in reckless disregard of their privacy rights” and “knew or should have known that their substandard data security measures are highly offensive to a reasonable person in the same position as Plaintiffs and Class members.”
As a result of the lawsuit, a $6 million fund has been set up to confer statutory damages, HIPAA Journal claimed.
According to the settlement, PPLA clients who “received a notice from PPLA in or around November 2021 about the Data Breach… are included in this Settlement as a ‘Settlement Class Member.’”
“Under the Settlement, PPLA has agreed to establish a Settlement Fund to pay for (1) credit monitoring and identity theft protection and insurance; (2) a cash Statutory Payment for claims brought under the California Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq.; (3) a cash payment of up to $210 for up to an additional seven hours of documented time fairly traceable to the Data Breach, valued at $30 per hour; (4) cash payment of up to $10,000 for documented losses and/or out-of-pocket costs fairly traceable to the Data Breach; and (5) the costs of the settlement administration, court-approved attorneys’ fees and expenses, and service awards for Class Representatives,” the Litigation Settlement website reads.
Claims can be made at this website and “will be accepted up to a maximum of $10,000 to recover documented losses,” HIPAA Journal wrote.
But “Claims must be filed on or before July 6, 2024,” PPLA’s notice from the courts stated.
ADDITONAL PLANNED PARENTHOOD PRIVACY BREACHES:
The abortion industry has a terrible record of protecting patient privacy, as Live Action News has documented (here, here, here, and here.) A recent review of abortion business websites revealed that “99.1% of US based abortion clinic web pages include third-party tracking, transferring user data to a median of 9 unique entities.”
Live Action News also previously documented multiple violations of privacy (2016, 2017, older) under the federal HIPAA law taking place at Planned Parenthood (PP), including massive privacy breaches and abuses due to PP’s negligence, exposing thousands of PP patients.
An April 2024 review of the Office for Civil Rights (OCR) notification portal archive page reveals multiple privacy breaches against Planned Parenthood, including “hacking incidents,” “Unauthorized Access/Disclosures,” as well as an “Improper Disposal” of private client information.
In total, these larger breaches (including PPLA) affected over half a million Planned Parenthood clients:
- Los Angeles (409,579)
- Metro Washington (142,982)
- Planned Parenthood of the Heartland (515 in 2018, 2,506 in 2016)
- Greater Washington and North Idaho (10,700)
- Planned Parenthood of Southwest Ohio (5,000)
A separate breach claimed that Blackbaud — a data management software and cloud computing software vendor of Planned Parenthood Federation of America (PPFA) and several affiliates “compromised some donor data” for multiple Planned Parenthood affiliates across the nation — even after Planned Parenthood posted a notice regarding a security breach at Blackbaud.
In addition, TAB, a records management company working with the Planned Parenthood Federation of America for over a decade, identified what they called “some serious problems” with the records of Planned Parenthood of Illinois, which oversees 17 branch locations. In TAB’s document, they suggested that the corporation’s records were getting lost in the mail and seen by those not employed by PP.
Planned Parenthood national received nearly $700 million ($699.3 M) from the U.S. taxpayer while committing nearly 400,000 abortions, according to its 2022-23 annual report. Meanwhile, Planned Parenthood Los Angeles reportedly committed 21,864 abortions that year alone.