Planned Parenthood Los Angeles Facing Class Action Lawsuit for the October 2021 Ransomware Attack

A class-action lawsuit was filed against Planned Parenthood Los Angeles (PPLA) over a ransomware attack that was uncovered on October 17, 2021. The cyberattack compromised the protected health information (PHI) of more than 409,759 patients. The notification letters given to the affected people on November 30, 2021, PPLA explained the breach of its systems on October 9, 2021. The hackers got access to files that contain PHI until October 17, when they were evicted from the network.

The data files on the impacted systems included names, birth dates, addresses, diagnoses, treatment, and prescribed medicine information, and a number of files were exfiltrated from its system prior to encrypting of files. PPLA stated it did not receive any evidence to suggest patient data has been misused.

A PPLA patient who was affected by the data breach filed a lawsuit at the U.S. District Court of Central California concerning the incident. The lawsuit claims the patient, along with class members, were placed at certain risk of harm due to the theft of their sensitive health information, which included electronic health records that list the procedures done by PPLA like abortions, treatment of sexually transmitted diseases, emergency contraception drugs, cancer screening details, other very sensitive health data.

The lawsuit additionally references the timing of the attack, which was simultaneous with the Supreme Court debates on abortion, and states the exposure of data on abortion processes at such a time makes it more probable that patients will face harm. Besides confronting an impending threat of harm, affected persons are probable to continue suffering economic and actual hurt and have lost handle of their healthcare records. They have likewise sustained out-of-pocket costs as a direct result of the data breach like expenses and time spent protecting their accounts, checking for identity theft and fraud, and taking action to avoid misuse of their personal information. The lead plaintiff states she has experienced actual harm because of the breach, such as stress and anxiety, and has additionally endured damage and a decrease in the value of her personal details.

Although the Health Insurance Portability and Accountability Act (HIPAA) has no private cause of action, the lawsuit claims PPLA has violated HIPAA by not being able to make sure the confidentiality of patient information and inadequate cybersecurity measures are in place to avoid unauthorized PHI access. The legal action furthermore claims that this is the third data breach suffered by PPLA in the past three years.

Aside from the HIPAA violations, the lawsuit states PPLA likewise breached the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).

The lawsuit wants injunctive relief, compensatory and statutory damages, investment in cybersecurity solutions to make certain more breaches do not occur, and for impacted persons to have identity theft protection and restoration services and to have an identity theft insurance coverage policy.