Planned Parenthood Los Angeles data breach affects 400,000 patients

Planned Parenthood Los Angeles fell victim to a cyberattack in October, according information released earlier this week.

The reproductive healthcare provider said its Los Angeles branch was infected with malware, compromising up to 400,000 patients’ data.

Following an internal investigation, Planned Parent Los Angeles is now informing those affected, but it believes that no information was used for fraudulent purposes.

The organization hasn’t specified which type of malware was used or whether it paid a ransom.

A spokesperson for the organization, John Erickson, said: “We take safeguarding patients’ information extremely seriously, and have taken steps to address this incident.”

He added: “Our focus now is on notifying and supporting those patients whose information was involved in this incident.”

What information was affected?

Planned Parenthood Los Angeles says that it launched an investigation soon after it discovered the attack to determine whether patient information was compromised.

On November 4, it identified that the following was compromised:

  • Dates of birth
  • Addresses
  • Insurance identification numbers
  • Clinical data
  • Diagnoses
  • Treatments provided
  • Prescription information

Following the investigation, the organization took steps to improve its security measures. This includes increasing network monitoring, working with an external cybersecurity firm and hiring additional cybersecurity resources and personnel.

“PPLA takes the safeguarding of patients’ information extremely seriously, and deeply regrets that this incident occurred and for any concern this may cause,” the organization said.

It added that it is notifying patients of the attack “in the abundance of caution”, explaining what happened and outlining the steps they can take to protect themselves from fraud.

Can we be sure sensitive information wasn’t used fraudulently?

If this incident was a ransomware attack – which it sounds like – it’s possible that Planned Parenthood Los Angeles is correct that no sensitive information was used fraudulently.

Unlike traditional cyberattacks, in which the goal is to steal sensitive information to commit fraud or sell on the dark web, ransomware works by encrypting files and threatening to delete them unless the victim pays up.

In theory, there is no scenario in which the data is used to commit fraud. If the organization meets the attackers’ demands, the information is returned, and if they refuse to negotiate, the information is deleted.

Both cases are still data breaches, because the confidentiality and availability of the information has been compromised. That is to say, it has been accessed by an unauthorized party and the organization is unable to view the data.

If this is indeed what happened, it will a silver lining for affected patients, but they are still likely to feel aggrieved that the information wasn’t properly protected – particularly given its highly sensitive nature.

There’s also another issue to consider. Organizations are increasingly following the advice of cybersecurity experts, who urge victims not to pay up because there is no guarantee that the attackers will keep their word and return the information once they’ve been paid.

This has become such a common phenomenon that ransomware attackers are changing tactics, leaking the stolen information on the dark web if they don’t get paid.

If Planned Parenthood Los Angeles refused to pay the attackers – which most experts would consider prudent – it may well have resulted in patients’ data being leaked.

The importance of incident response

This incident shows the impossible position that organizations are put in with ransomware attacks. It’s essentially a lose–lose scenario, with either option presenting major security concerns.

The only way that organizations have a chance to come out of an attack relatively unscathed is with effective incident response. Organizations that have a plan for when disaster strikes will understand the steps they should take to mitigate the damage and can act swiftly to minimize delays.

You can find out more about incident response and how IT Governance USA can help by speaking to one of our consultants.

Our team of experts can help you implement policies, processes and technologies you need to meet your compliance requirements and prepare for whatever threats your organization faces.