According to this article, 2021 has been a “particularly dire year” for health care data breaches. So, it may not seem shocking that a hacker gained access to the protected health information of approximately 400,000 Planned Parenthood Los Angeles patients in October. What is unusual about this particular hacking incident is its timing. Planned Parenthood Los Angeles published Notice of the incident on Wednesday, December 1, 2021, the same day the U.S. Supreme Court heard oral argument on the controversial issue in the highly publicized case of Dobbs v. Jackson Women’s Health.
As described in the Notice, Planned Parenthood Los Angeles acted quickly, completed an initial forensic review of affected data in less than 3 weeks, and published the Notice less than 45 days after discovery. Yet, Planned Parenthood Los Angeles now faces a class action lawsuit over the breach.
Although HIPAA does not provide a private right of action, the lawsuit alleges negligence, invasion of privacy, and violations of three California state laws: (1) the California Confidentiality of Medical Information Act, (2) the California Consumer Records Act, and (3) California’s Unfair Competition Law.
California claims aside, Planned Parenthood Los Angeles appears to have taken its HIPAA breach notification obligations very seriously, perhaps in recognition of the need to alert women as quickly as possible of an incident involving uniquely sensitive health information.
Unfortunately, not all entities entrusted with maintaining health information, even uniquely sensitive information about women’s sexual and reproductive health, take their federal breach notification obligations as seriously. Flo Health, Inc., an app used by more than 100 million women to track personal menstruation and fertility information didn’t provide notice until reaching a settlement with the Federal Trade Commission in January 2021. Its breach came to light as a result of an investigation by the Wall Street Journal published in February 2019. (For more about the Flo Health breach and settlement, you can read our blog here.)
The timing of the Planned Parenthood Los Angeles incident and the legal and political spotlight on Roe v. Wade is most likely coincidental. It serves as a stark reminder, though, that personally (and politically) sensitive information may be targeted by hackers despite the provider’s best efforts to avoid data breaches.