Planned Parenthood on Sept. 5 confirmed it was the target of a cyberattack on IT systems at its Montana organization that forced the women’s health advocacy non-profit to take parts of it technology infrastructure offline.
BleepingComputer reported that on Sept. 4 the RansomHub ransomware gang claimed responsibility for the Planned Parenthood attack. The threat actor reportedly said it would leak the 93 gigabytes of data it stole from Planned Parenthood of Montana on the public internet if its demands were not met within six days.
Numerous attempts to reach Planned Parenthood’s headquarters in New York City were unsuccessful. It was not clear what the size of the ransom demand was, or if Planned Parenthood intended to negotiate with the RansomHub threat actor by mid-day Sept. 5.
Best known for its efforts to provide healthcare and counseling for women seeking abortions, the attack on Planned Parenthood raised the profile of the abortion issue another notch in this fall’s presidential election.
The attack, which reportedly took place in late August, happened at a time when a recent New York Times/Siena College poll found that for women under 45, abortion had overtaken the economy as their single most important issue in terms of how they would vote.
While the attack does not appear to be directly linked to the election, CyberScoop reported that the incident occurred eight days after the state of Montana certified that abortion rights groups collected enough valid signatures to ensure a statewide vote in this November’s election that would add abortion rights to Montana’s constitution.
“Attempts to hack into an organization like Planned Parenthood are only to embarrass and intimidate people, especially women, who seek specific types of care,” said Jennifer Gill, vice president of product marketing at Skyhawk Security. “These organizations are targets, especially now with the election season upon us. This should serve as a warning to all organizations that have been politicized. They are a target, and the attackers are relentless."
Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, added that RansomHub's rapid rise to the top of the ransomware ecosystem has been fueled by its aggressive affiliate model and a growing list of victims, now more than 220.
Unlike older groups, Dikbiyik said they've attracted affiliates by offering a 90% cut and upfront payment, driven by their rapid expansion after the downfall of groups like AlphV and Lockbit. Professional services and manufacturing sectors make up 40% of all attacks, similar to other ransomware groups.
“Our analysis shows one-third of their victims are U.S. companies, with critical industries — such as energy, healthcare, telecommunications, and financial services — bearing the brunt of the attacks,” said Dikbiyik. “The Planned Parenthood attack demonstrates that the group continues to prioritize organizations that are critical and hold some of the most sensitive data.”
Randy Watkins, chief technology officer at Critical Start, pointed out that healthcare providers like Planned Parenthood store personally identifiable information (PII), medical records, and other confidential data that, if exposed, could have severe consequences for patients, including identity theft, fraud, and the compromise of personal health information (PHI). Moreover, Watkins said healthcare systems often operate under strict regulatory frameworks, such as HIPAA in the U.S., meaning that breaches can lead to hefty fines and legal repercussions.
“Healthcare organizations are also uniquely vulnerable because they often rely on older, legacy systems and must balance security with accessibility for life-saving operations,” said Watkins. “The potential for operational disruption in such environments, especially during an attack that targets critical infrastructure, can have immediate and life-threatening consequences.”
The attack on Planned Parenthood comes after the federal government reported on Aug. 29 that RansomHub had compromised at least 210 organizations since its initial appearance in February. RansomHub recently claimed an attack on Halliburton and was involved in the infamous Change Healthcare attack earlier this year.