Planned Parenthood Los Angeles, a prominent provider of reproductive healthcare services in Los Angeles County, has reached a settlement of $6 million to resolve all claims related to a data breach in 2021. This breach exposed the personal information of more than 409,437 patients, causing significant concerns about privacy and security.
What happened
Between October 9, 2021, and October 17, 2021, hackers gained unauthorized access to the Planned Parenthood Los Angeles network. They exfiltrated sensitive patient data and employed ransomware to encrypt files, effectively holding the organization's data hostage.
The ransomware attack was discovered on October 17, 2021, and confirmed on November 4, 2021, that patient data had been stolen. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical details such as procedures and prescriptions.
The backstory
A class-action lawsuit, known as In re: Planned Parenthood Los Angeles Data Incident Litigation, was filed in the U.S. District Court of Central California in response to the data breach. The lawsuit alleged that Planned Parenthood Los Angeles was negligent in implementing reasonable and appropriate cybersecurity measures, which could have prevented the ransomware attack and subsequent data breach. It claimed violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).
Going deeper
Planned Parenthood Los Angeles has settled the lawsuit without admitting any wrongdoing. The settlement allows class members to submit claims to recover documented losses incurred due to the data breach. These losses may include bank costs, credit expenses, fraudulent charges, and losses related to identity theft and fraud.
Additionally, class members can claim compensation for up to 7 hours of lost time at $30 per hour and receive three years of credit monitoring and identity theft protection services, including a $1 million identity theft protection policy.
Statutory damages will also be awarded to class members, with the amount depending on participation rates. After all claims have been paid, these damages will be paid from the remaining $6 million fund. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.
What was said
“We have and will continue to take steps to enhance our existing security measures and to help protect the information in our care, including increasing our network monitoring, engaging an external cybersecurity firm and hiring additional cybersecurity resources and talent to our team,” PPLA says in its initial response letter to Planned Parenthood patients. “We deeply regret that this incident occurred and for any concern this may cause you.”
Why it matters
The settlement reached by Planned Parenthood Los Angeles in response to the class-action data breach lawsuit signifies a step towards resolving the repercussions of the breach. By compensating affected individuals, the organization attempts to alleviate some of the harm caused by the exposure of sensitive patient information. This case reminds healthcare organizations to prioritize cybersecurity and implement measures to protect patient data from unauthorized access and potential breaches. The settlement also proves the necessity of timely and transparent communication with affected individuals and the need for data breach response strategies within the healthcare industry.
Farah Amod
