Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million
Planned Parenthood Los Angeles, a provider of reproductive healthcare services in Los Angeles County, has proposed a $6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients.
Between October 9, 2021, and October 17, 2021, hackers accessed the Planned Parenthood Los Angeles network, exfiltrated sensitive patient data, and used ransomware to encrypt files. Planned Parenthood discovered the ransomware attack on October 17, 2021, and confirmed on November 4, 2021, that the stolen files contained patient data. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical information, including procedures and prescriptions.
A lawsuit – In re: Planned Parenthood Los Angeles Data Incident Litigation – was filed in the U.S. District Court of Central California over the data breach that alleged that Planned Parenthood Los Angeles was negligent by failing to implement reasonable and appropriate cybersecurity measures in line with industry standards, and had those measures been implemented, the ransomware attack and data breach could have been avoided. The lawsuit alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).
According to the lawsuit, the timing of the breach was such that patients would be more likely to suffer harm, as it coincided with Supreme Court debates on abortion. The stolen data also included highly sensitive health information such as abortion procedures, treatment of sexually transmitted diseases, emergency contraception prescriptions, and cancer screening information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Planned Parenthood Los Angeles chose to settle the lawsuit with no admission of wrongdoing. Claims will be accepted up to a maximum of $10,000 to recover documented losses incurred as a result of the data breach, including bank costs, credit expenses, fraudulent charges, and losses to identity theft and fraud. Class members can also claim up to 7 hours of lost time at $30 per hour and three years of credit monitoring and identity theft protection services, which include a $1 million identity theft protection policy.
Class members will also be entitled to statutory damages, with the payments depending on participation rates. Statutory damages will be paid from the remainder of the $6 million fund after claims have been paid. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.
Key Dates:
- Deadline for objection/exclusion: June 6, 2024
- Deadline for claims: June 7, 2024
- Final Hearing: August 8, 2024
