Planned Parenthood Class Action Lawsuit

Planned Parenthood Los Angeles faces a class-action lawsuit in the wake of an October cyberattack that potentially exposed the protected health information (PHI) of 409,759 patients. The Planned Parenthood class-action lawsuit is discussed in detail below

Planned Parenthood Class-Action Lawsuit – Details of Lawsuit

Filed on December 9, 2021, by an unnamed patient, the lawsuit alleges that the patient and class members have been placed at “imminent risk of harm as a result of the theft of their sensitive health data.”

While there is no private right of action in the HIPAA law, the lawsuit alleges PPLA has violated HIPAA by failing to ensure the confidentiality of patient data. The lawsuit points out that this is the third data breach PPLA has suffered in the past three years and claims insufficient cybersecurity measures had been put in place to prevent unauthorized PHI access. 

In addition to the HIPAA violations, the lawsuit claims PPLA also violated the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).

The suit seeks unspecified compensatory and statutory damages, injunctive relief, and investment in cybersecurity measures to ensure further breaches do not occur. The lawsuit also asks that affected individuals be provided with identity theft protection and restoration services and that they are covered by an identity theft insurance policy.

Let’s Simplify Compliance

HIPAA compliance and cybersecurity go hand-in-hand. Protect your business by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

Planned Parenthood Class-Action Lawsuit – Details of Data Breach

In a statement about the breach, PPLA stated they first detected “suspicious activity on our computer network” on October 17, 2021. It was later determined that an unauthorized person gained and retained access to the network from October 9-17, 2021. 

The unauthorized person installed malware/ransomware and exfiltrated some files containing PHI from their systems. These files contained, “certain patients’ names, and one or more of the following: dates of birth, addresses, insurance identification numbers, and clinical data, such as diagnosis, treatment, or prescription information.”

Planned Parenthood Class-Action Lawsuit – Response to Data Breach

At the time of their statement, PPLA was not aware of any information obtained from this incident being used fraudulently. They have notified affected patients and are encouraging them to monitor billing statements for possible fraudulent charges. 

However, one of the factual allegations in the class-action lawsuit states:

“On December 9, 2021, Plaintiff received an alert from Experian notifying her that Experian found an unfamiliar address associated with her Social Security number. The alert characterized the “risk level” as “high.” 

It is not clear whether the notification from Experian was a result of the data breach.

Planned Parenthood Class-Action Lawsuit – Takeaways

It’s too soon to determine whether or not PPLA was operating their clinic in a HIPAA-compliant method. If there are HIPAA violations uncovered by Office for Civil Rights (OCR) investigators, PPLA could be fined based upon their level of compliance and good-faith effort.

But there are some questions that every healthcare provider and their vendors who handle PHI or ePHI should ask themselves about their HIPAA Compliance:

  • Have I completed a Security Risk Analysis to identify compliance gaps that need to be addressed?
  • Does my HIPAA compliance plan fully address all the requirements of the HIPAA Privacy Rule, Security Ru