Hack targets Planned Parenthood, exposing personal information of 400K patients

Planned Parenthood Missouri clinic
The hack into Planned Parenthood’s Los Angeles branch was announced in the wake of Wednesday’s Supreme Court arguments in Dobbs v. Jackson Women’s Health Organization, a Mississippi suit on abortion rights that seems poised to overturn Roe v. Wade. (Getty Images)

A recent cyberattack on Planned Parenthood’s Los Angeles branch exposed the personal information of about 400,000 patients.

Between Oct. 9 and Oct. 17, a hacker infiltrated the reproductive health care center’s network and stole files including patient information like names and insurance details along with clinical information including diagnoses and procedures undergone by the patients.

However, the Los Angeles affiliate didn’t find any evidence that the stolen information had been used for “fraudulent purposes,” the organization said in a letter (PDF) to its patients.

The branch spotted signs of “suspicious activity” on Oct. 17, at which point it immediately shut down its systems and reported the attack. The branch also said it contacted a third-party cybersecurity company to assist in its investigation.

RELATED: 2020 offered a ‘perfect storm’ for cybercriminals with ransomware attacks costing the industry $21B

The attack involved the installation of ransomware into the health center’s network, an increasingly common method of cyberattacks.

In ransomware attacks, hackers typically lock administrator access to systems or data and demand a fee for their release. Ransomware attacks cost the healthcare industry $20.8 billion in downtime in 2020, double the amount of money spent in 2019, and hackers collected over $2.1 million in ransom payments.

George Gerchow, chief security officer of Sumo Logic, suggested in an email statement to Fierce Healthcare that healthcare organizations should ramp up their security systems to anticipate such attacks before they occur.

“With situations like this, many questions remain about the healthcare sector’s investment in retaining and securing the personal identifiable information of users and the devices used to collect this information,” Gerchow said. “Organizations, including healthcare companies, are still struggling with what it means to not have a defined perimeter anymore. The old security models are not suitable, but they are unfortunately still used to create strategies and responses to business risk.”

RELATED: HIMSS21: Your healthcare organization is crippled by ransomware. Should you pay the attackers?

The announcement comes in the wake of Wednesday’s Supreme Court arguments in the case of Dobbs v. Jackson Women’s Health Organization, a Mississippi suit on abortion rights that seems poised to overturn Roe v. Wade.

Planned Parenthood is the largest U.S. provider of reproductive health services, including abortion, with over 2.4 million patients receiving care annually at the organization's affiliate health centers, according to a February 2021 report (PDF).

Though the Supreme Court justices will cast private votes in the coming days, an official decision in the case isn’t expected until summer 2022.