Nearly half a million Planned Parenthood records stolen in ransomware attack

Planned Parenthood clinic entrance showing entry sign and building, This clinic is in Pullman Washin...


Records stolen from Planned Parenthood's servers.

UCG/Universal Images Group/Getty Images

More than 400,000 patient records have been stolen from Planned Parenthood’s Los Angeles database, a spokesperson for the nonprofit announced this week. The LA clinic system was reportedly hit by a ransomware attack — though no information has been released about whether or not the hacker was paid.

The sheer amount of information obtained by the hacker is astounding, though Planned Parenthood has downplayed it somewhat by sticking to abstractions. Stolen files included address, insurance information, date of birth, and clinical information (like diagnoses, procedures, or prescription information), according to a letter sent to patients this week.

The letter indicates that, as far as Planned Parenthood can tell, none of the stolen information has been “used for fraudulent purposes.” That’s all nice and good, but someone — or a group of someones — now has access to medical data belonging to more than 400,000 people.

Malware is very difficult to avoid. But we do have to wonder why we’re just hearing about it now, when the hack reportedly happened in mid-October.

Ransomware everywhere — Our cybersecurity systems are more complex than ever before, but computer viruses — just like IRL viruses — can very quickly adapt to get around new protections. In many cases, ransomware mutates faster than we can keep up with it.

Just like COVID-19, ransomware really began picking up the pace in 2020. Cybersecurity firm Emsisoft estimates that 113 federal, state and local governments reported being hit by ransomware throughout the year, costing them nearly $1 billion in ransom fees.

2021 has been particularly bad for ransomware. In May, a Russian hacking group utilized ransomware to take down the largest U.S. fuel pipeline. The attack was so crippling that the U.S. Department of Transportation issued an emergency declaration to circumvent the pipeline. Just a few weeks later, another ransomware attack to seriously impair one of the world’s largest producers of beef.

What took so long? — Ransomware, like all malware, is exceedingly difficult to dodge. As far as the public is concerned, blame for the hack itself rests solely on the hackers. We can’t fault Planned Parenthood for that without intimate knowledge of its cybersecurity systems.

Here’s the thing: Planned Parenthood says it first discovered suspicious activity on October 17. A review of the files took until about November 4. It is now December. We’re talking about sensitive medical information here — and Planned Parenthood sat on that knowledge for weeks before alerting those affected.

Planned Parenthood says it is hiring more cybersecurity talent and working with external cybersecurity firms to ensure its data is better protected in the future.