Planned Parenthood patients sue lab over data breach affecting 1.6M

Patients are taking legal action after a breach at a lab used by Planned Parenthood exposed the sensitive information of 1.6 million people.

What happened

Patients associated with Planned Parenthood have filed class action lawsuits against Laboratory Services Cooperative (LSC), a Seattle-based diagnostic testing provider, after a cyberattack compromised highly sensitive patient and employee data. LSC works with Planned Parenthood centers in 30 states and Washington, D.C.

The breach occurred on October 27, 2024, but affected individuals were not notified until April 2025. A forensic investigation completed in February confirmed that attackers accessed a wide range of data, including names, contact and insurance information, Social Security numbers, medical and clinical records, and financial details such as bank and card information. Worker records and dependent data were also exposed.

Going deeper

Three lawsuits, Doe v. LSC, Daniels v. LSC, and Wynn v. LSC, have been filed in the U.S. District Court for the Western District of Washington. Plaintiffs allege that LSC failed to adopt adequate cybersecurity measures and delayed breach notification. The delay, they argue, left patients exposed and uninformed for months.

The lawsuits also cite LSC’s failure to provide critical information in the breach notification letters, such as how the breach occurred, how it was detected, and what actions were being taken. The plaintiffs claim this lack of transparency adds to the harm.

The legal claims include negligence, invasion of privacy, breach of contract, and violations of both federal and Washington state consumer protection and data breach laws.

What was said

The lawsuits seek a jury trial and request compensatory damages, as well as court-mandated security reforms. These reforms include encryption, regular security audits, external penetration testing, and permanent deletion of the exposed personally identifiable information (PII).

LSC offered free credit monitoring and identity theft protection to affected individuals, but has not publicly commented on the ongoing lawsuits.

The big picture

The case adds to a broader pattern in healthcare-related data breach litigation, where legal challenges extend beyond the breach to include how organizations handle response and communication. With medical and financial data increasingly stored by third-party vendors like LSC, greater attention is being placed on the strength of security protocols and the timeliness of breach notifications, both now viewed as legal obligations and fundamental responsibilities.

FAQs

What legal protections exist for patients in healthcare data breaches?

Patients are protected under HIPAA, which mandates the safeguarding of health information, and under state laws like Washington’s Data Breach Notification Law, which sets timelines and disclosure requirements.

How long is too long to notify victims after a breach?

While HIPAA recommends notifying affected individuals within 60 days of discovery, delays beyond that, such as LSC’s 5-month gap, can result in legal consequences and allegations of noncompliance.

What is injunctive relief in data breach cases?

Injunctive relief refers to court-ordered actions an organization must take to improve data security, such as implementing encryption, audits, or system reforms, to prevent future breaches.

Can patients opt out of these class action lawsuits?

Yes. Individuals who qualify as part of a class action will receive instructions on how to participate, remain passive, or opt out if they wish to pursue individual legal action.

What should affected individuals do now?

They should activate any free credit monitoring services offered, monitor financial accounts closely, and consider placing fraud alerts or credit freezes with major credit bureaus for additional protection.