Planned Parenthood Los Angeles (PPLA) is confronting a class action lawsuit with regards to a ransomware attack that was uncovered on October 17, 2021. The cyberattack breached the protected health information (PHI) of over 409,759 patients. The notification letters were mailed to the affected people on November 30, 2021, wherein PPLA mentioned the breach of its systems on October 9, 2021. The attackers obtained access to files comprising PHI up to October 17, which is the time they were thrown out from the network.
The records on the impacted systems comprised names, dates of birth, addresses, diagnoses, treatment, and medication details, and certain files were exfiltrated from its system before the encryption of files. PPLA mentioned it didn’t get any proof to suggest patient data has been misused.
A PPLA patient who had his PHI compromised in the security breach has filed a lawsuit regarding the incident. The lawsuit was submitted in the U.S. District Court of Central California and states the patient, as well as class members, were put at impending risk of harm due to the theft of their sensitive health information, which included electronic health records that note the processes conducted by PPLA for instance abortions, treatment of sexually transmitted diseases, emergency contraception medications, cancer screening data, other remarkably sensitive health data.
The lawsuit additionally references the time of the ransomware attack, which synchronized with the Supreme Court discussions on abortion, and claims the compromise of data on abortion treatments at this time makes it very likely that patients will experience problems. Aside from experiencing an upcoming danger of harm, affected people are possible to keep experiencing economic and actual hurt and have lost control of their healthcare records. They have likewise suffered out-of-pocket expenditures because of the data breach for example money and time spent securing their accounts, keeping track of identity theft and fraud, and doing something to stop improper use of their personal data. The lead plaintiff claims she has encountered actual harm because of the breach, which includes stress and anxiety, and has furthermore sustained damage and reduction in the value of her personal details.
Though the Health Insurance Portability and Accountability Act (HIPAA) is without private cause of action, the lawsuit states PPLA has violated HIPAA by its inability to make certain the privacy of patient information and not enough cybersecurity procedures are set up to avert unauthorized PHI access. The legal action furthermore says that this is the third data breach experienced by PPLA in the last 3 years.
Besides the HIPAA violations, the lawsuit says PPLA likewise breached the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA).
The lawsuit wishes injunctive relief, statutory and compensatory damages, investment in cybersecurity procedures to make sure other breaches don’t happen, and for impacted persons to be given identity theft protection and restoration services and to get an identity theft insurance coverage plan.