Planned Parenthood LA Data Exfiltrated, 400,000 AffectedWill Other Entities Handling Sensitive Health Data Become Next Targets?
Planned Parenthood Los Angeles is notifying about 400,000 individuals of an apparent ransomware attack in October that involved exfiltration of files containing sensitive health information, including patients' diagnoses and medical procedures.
See Also: Case Study: The Road to Zero Trust
In a sample data breach letter provided to the California attorney general's office on Wednesday, PPLA says that on Oct. 17, it identified "suspicious activity" on its computer network.
PPLA says it immediately took its systems offline, notified law enforcement authorities and engaged a third-party cybersecurity firm to assist.
While the PPLA letter does not specify the type of data security incident, The Washington Post on Wednesday reported that a PPLA spokesman confirmed the breach involved ransomware and affected about 400,000 individuals.
PPLA did not immediately respond to Information Security Media Group's request for comment.
As of Thursday, the PPLA incident had not been posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
In its notification statement, PPLA says its investigation determined that an unauthorized person gained access to PPLA's network between Oct. 9 and Oct. 17, and exfiltrated some files from its systems during that time.
PPLA says that on Nov. 4 it identified that the compromised files contained information including patient names, plus one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure and prescriptions.
"At this time, we have no evidence that any information involved in this incident has been used for fraudulent purposes," PPLA says.
The PPLA incident is among the latest ransomware and other cyberattacks on healthcare provider organizations resulting in major breaches involving sensitive health data.
For instance, in October, medical testing laboratory company Quest Diagnostics revealed that an August ransomware attack on its ReproSource Fertility Diagnostics subsidiary led to the potential compromise of 350,000 patients' personal information.
ReproSource faces at least one proposed class action lawsuit in the wake of the incident, so far. That lawsuit - alleging negligence and a number of other counts - was filed in a Massachusetts federal court last month by a patient on behalf of others also affected by the incident.
News of the attack on PPLA broke on Wednesday, the same day the U.S. Supreme Court heard oral arguments about a controversial Mississippi law that highly restricts abortions in that state, and some experts note the possibility of similar attacks - including by hacktivists - on other reproductive healthcare providers to potentially threaten their patients.
"We don’t know yet - from what is reported - whether this was done for money … done by a malicious insider, or [occurred] randomly because a phishing email made it past filters and someone clicked on a bad link," says Lee McKnight, an associate professor and cybersecurity researcher at Syracuse University. Other possibilities include "the hacktivist scenario," he adds.
"The likelihood of a demand being paid is linked to the sensitivity of the data that was exfiltrated, and that means cyber-extortionists perceive organizations such as Planned Parenthood as ideal targets," notes Brett Callow, a threat analyst at security firm Emsisoft.
"Unfortunately, it’s certainly possible that affected individuals could be contacted by the criminals, either in an attempt to extort money or to get them to pressure Planned Parenthood into paying," he says. "Sadly, this has become an increasingly common tactic."
The type of highly sensitive medical information exfiltrated in the cyberattack on Planned Parenthood is especially alarming, other experts note.
"This is a particularly damaging attack in that it targets vulnerable women and makes them susceptible to online harassment," says Jane Grafton, a vice president at security firm Gurucul. "This is the kind of data that absolutely has to be protected more securely," she says.
Healthcare entities, especially those handling particularly sensitive information need to take critical steps to protect their systems and data as threats surge, other experts note.
"The top lesson is that all of our systems are being scanned. It is foolish to think that any system - especially a high-visibility system like Planned Parenthood - would not come under some sort of cyberattack," says Garret Grajek, CEO of security firm YouAttest.
"Planned Parenthood, like any other site that would be targeted, needs to look at implementing zero trust on their network and practice the principle of least privilege on their identities - both on-premises and cloud-based."
McKnight recommends that all healthcare organizations take a number of proactive steps to avoid becoming the next potential victims of major health data breaches.
That includes reviewing their own internal - as well as IT service providers' - patch management and software update procedures and compliance; conducting staff cybersecurity awareness training; complying with federal, state and local standards; and ensuring data backup and disaster recovery procedures.
He also says the microsegmentation provided by zero trust architecture reduces risks and reduces the impact when a breach happens.
Other healthcare organizations steeped in controversial circumstances have periodically found themselves in the crosshairs of cyberattacks.
For instance, hacktivist Martin Gottesfeld in 2018 was convicted and later sentenced to 10 years of federal prison time for launching distributed denial-of-service attacks on Boston Children's Hospital and another local facility in 2014 in protest of the organizations' involvement in a controversial child custody case (see: Boston Children's Hospital Hacker Gets Long Prison Sentence).
Prosecutors in the case said the DDoS attacks disrupted the children's hospital's network for at least two weeks and hampered the internet connectivity of other Boston-area hospitals.