Planned Parenthood Los Angeles has sent out breach notification letters to about 400,000 patients after the organization suffered from a ransomware incident between October 9 and October 17.
In a letter shared with the California Attorney General's office and sent out on November 30, the organization said it identified suspicious activity in its computer network on October 17.
"We immediately took our systems offline, notified law enforcement, and a third-party cybersecurity firm was engaged to assist in our investigation. The investigation determined that an unauthorized person gained access to our network between October 9, 2021, and October 17, 2021, and exfiltrated some files from our systems during that time," the organization said.
"On November 4, 2021, we identified files that contained your name and one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information."
The organization is not offering any identity protection services for those affected, only urging victims to review statements received from health insurers or healthcare providers. They said they planned to hire a cybersecurity firm to help with the incident and improve their cybersecurity systems. Law enforcement was called in to help with the attack, according to CNN, but it is unclear which group is behind the attack.
The attack was first reported by The Washington Post, which noted that other branches of the organization had been hacked in the past, both by opportunistic cybercriminals and anti-abortion activists.
Despite the vital role healthcare organizations have played in addressing the COVID-19 pandemic, cybercriminals have shown little reticence in attacking hospitals and clinics. Over the last two years, multiple healthcare organizations have announced attacks and breaches involving sensitive patient data, including Social Security Numbers and bank account information.
Garret Grajek, CEO of YouAttest, listed off multiple recent healthcare-related cyberattacks, including ones involving the Tardigrade malware, which was released upon vaccine manufacturers. He added that the DeepBlueMagic hackers recently shut down the computer system in a major Israeli hospital.
"The PII/PHI that has been stolen from Planned Parenthood go beyond the usual threat actor's desire for identity data to resell on the dark web. Given that not only was standard identity information stolen, but the theft was coupled with medical background and procedure data, the ramifications of malicious use of this data are easy to imagine," Grajek said.
"The mechanism has not been revealed, but previous hacks on medical institutions have shown a proclivity to both social and technical hacking methods, given the amount of personnel involved and the difficulty of enacting safe security conduct by all team members."
Ekram Ahmed, spokesperson at cybersecurity firm Check Point, said those affected should be watchful for a hacker technique called 'Triple Extortion'.
"In this tactic, hackers are not only encrypting files and then ransomware, but they go to patients directly, threatening to reveal sensitive information unless paid. Here, over 400,000 patients, which is a staggering number for a data breach, can potentially become victims to Triple Extortion, which could be devastating," Ahmed said.
"Healthcare records are known to be one of the most valuable types of information that hackers look for. The reason being is that cybercriminals can use this data to create false identities, commit health insurance fraud and illegally obtain prescription drugs. Furthermore, stolen patient information can be stolen for top dollar on the dark web. This year, the healthcare sector sees 752 ransomware attacks a week on average, marking a 55% increase compared to last year."
Gurucul vice president Jane Grafton noted that the ransomware attack on Planned Parenthood Los Angeles occurred right as the Supreme Court actively debates a direct challenge to the 1973 Roe v. Wade ruling.
"Women's personal procedures and diagnosis are just that: personal. Having them stolen for potential exposure puts women in the political crosshairs," Grafton said. "Securing medical records has never been more important. We can only hope that this information stays out of the public eye."