A patient has filed a lawsuit against Planned Parenthood Los Angeles, one week after the disclosure of a ransomware attack that led to the theft of health data tied to 409,759 patients. Filed in the U.S. District Court of Central California, the lawsuit asserts the data theft will spur imminent harm due to the highly sensitive nature of the stolen health information.
The lawsuit spurs from a weeklong hack against the PPLA computer network, which was first detected on Oct. 17. The systems were immediately taken offline. An investigation revealed the attackers first gained access on Oct. 9, using their access to exfiltrate patient files.
Along with contact information and demographic details, the stolen information contained full medical histories and PPLA procedures. The lawsuit appears to reveal the stolen medical information “included ‘electronic medical records’ or ‘electronic health records.'”
“By its nature, the information exfiltrated in the Data Breach is extremely sensitive: Planned Parenthood provides not only abortion and other family planning procedures, but also such health services as testing for sexually transmitted diseases, HIV testing, emergency contraception, and cancer screenings,” according to the suit.
The lawsuit argues that the timing of the hack coinciding with the Supreme Court debates on abortion, “makes it more likely that hackers will exploit the stolen information or seek ransom payments for its return.”
As a result, the breach victims are facing imminent risk of identity theft and other harm. The lawsuit also alleges patients have and will continue to suffer economic and actual harm, such as loss of the opportunity to control the use of their medical information and out-of-pocket costs tied with preventing and detecting identity theft or misuse of their health information.
The lawsuit further claims the patient has faced stress and anxiety due to the breach, as well as "damage and diminution in the value of her personal information” after a fraudulent account was opened using her stolen information.
Under a June 2021 Supreme Court ruling, the breach victim must provide evidence of concrete harm by a breach violation to have standing to seek damages against an entity.
PPLA is accused of failing to implement adequate cybersecurity measures and procedures, along with other security failings, which allegedly caused the breach. The lawsuit also alleges the provider violated the The Health Insurance Portability and Accountability Act and California’s highly strict Confidentiality of Medical Information Act and the Consumer Privacy Act.
According to the lawsuit, this is the third hacking and data theft incidents reported by a PPLA entity in the last three years. Activists broke into the Planned Parenthood network in 2015 and stole the contact information of hundreds of employees and leaked it online. And just last year, the Washington, D.C., site reported a hack of patient and donor information.
PPLA “negligently created, maintained, preserved, stored, abandoned, destroyed, or disposed of [patients]’ medical information in a manner that failed to preserve the security of that information and breached its confidentiality,” according to the lawsuit.
The lawsuit is seeking both compensatory and statutory damages and injunctive relief to require PPLA to remediate its “deficient cybersecurity protocols” and provide the patient breach victims with identity theft insurance or the funding to secure these services.