The personal and clinical information of about 400,000 patients of Planned Parenthood Los Angeles (PPLA) was stolen in October in a ransomware attack, the organization announced Wednesday.
In letters and emails sent to patients November 30 to notify them about the attack, Planned Parenthood wrote the files involved in the breach contained patients’ names, addresses, insurance information, dates of birth, and clinical data, such as diagnosis, procedure, and/or prescription information, the Daily Mail reported.
“The breach is staggering both for the number of victims and for the highly personal information hackers stole, which could identify people who’ve had abortions and other procedures,” the Washington Post noted as well Thursday.
According to the letter to patients, PPLA “identified suspicious activity” on its computer network on October 17.
The organization wrote it “immediately took our systems offline, notified law enforcement,” and hired a “third-party cybersecurity firm” to assist in an investigation.
The letter stated the investigation revealed “an unauthorized person gained access to our network” between October 9 and October 17 and “exfiltrated some files from our systems during that time.”
In a section of the letter titled, “What You Can Do,” Planned Parenthood told patients:
At this time, we have no evidence that any information involved in this incident has been used for fraudulent purposes. However, in an abundance of caution, we wanted to notify you of this incident and assure you that we take this very seriously. It is always a good idea to review statements you receive from your health insurer and health care providers. If you see charges for services you did not receive, please call the insurer or provider immediately.
Meanwhile, Planned Parenthood said it will “take steps to enhance our existing security measures” including “increasing our network monitoring” and hiring additional cybersecurity personnel.
“It is unclear whether the Planned Parenthood plans to pay off the hackers that stole the names, addresses, contact information and medical records of their patients,” the Daily Mail noted.