Planned Parenthood Class-Action Lawsuit – Details of Lawsuit
Filed on December 9, 2021, by an unnamed patient, the lawsuit alleges that the patient and class members have been placed at “imminent risk of harm as a result of the theft of their sensitive health data.”
While there is no private right of action in the HIPAA law, the lawsuit alleges PPLA has violated HIPAA by failing to ensure the confidentiality of patient data. The lawsuit points out that this is the third data breach PPLA has suffered in the past three years and claims insufficient cybersecurity measures had been put in place to prevent unauthorized PHI access.
In addition to the HIPAA violations, the lawsuit claims PPLA also violated the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).
The suit seeks unspecified compensatory and statutory damages, injunctive relief, and investment in cybersecurity measures to ensure further breaches do not occur. The lawsuit also asks that affected individuals be provided with identity theft protection and restoration services and that they are covered by an identity theft insurance policy.
Planned Parenthood Class-Action Lawsuit – Details of Data Breach
In a statement about the breach, PPLA stated they first detected “suspicious activity on our computer network” on October 17, 2021. It was later determined that an unauthorized person gained and retained access to the network from October 9-17, 2021.
The unauthorized person installed malware/ransomware and exfiltrated some files containing PHI from their systems. These files contained, “certain patients’ names, and one or more of the following: dates of birth, addresses, insurance identification numbers, and clinical data, such as diagnosis, treatment, or prescription information.”
Planned Parenthood Class-Action Lawsuit – Response to Data Breach
At the time of their statement, PPLA was not aware of any information obtained from this incident being used fraudulently. They have notified affected patients and are encouraging them to monitor billing statements for possible fraudulent charges.
However, one of the factual allegations in the class-action lawsuit states:
“On December 9, 2021, Plaintiff received an alert from Experian notifying her that Experian found an unfamiliar address associated with her Social Security number. The alert characterized the “risk level” as “high.”
It is not clear whether the notification from Experian was a result of the data breach.
Planned Parenthood Class-Action Lawsuit – Takeaways
It’s too soon to determine whether or not PPLA was operating their clinic in a HIPAA-compliant method. If there are HIPAA violations uncovered by Office for Civil Rights (OCR) investigators, PPLA could be fined based upon their level of compliance and good-faith effort.
But there are some questions that every healthcare provider and their vendors who handle PHI or ePHI should ask themselves about their HIPAA Compliance:
- Have I completed a Security Risk Analysis to identify compliance gaps that need to be addressed?
- Does my HIPAA compliance plan fully address all the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule?
- Do I have signed Business Associate Agreements with any vendor who takes possession of PHI?
Addressing HIPAA Compliance on your own is a daunting task. If you need guidance on how to get started, Compliancy Group is happy to help you.