In August 2024, Planned Parenthood of Montana suffered a data breach where a cybercriminal gained unauthorized access to its computer network, exposing sensitive personal and protected health information (PHI) of patients. The compromised data included medical records, healthcare insurance IDs, medical identity details, and potentially financial information tied to health savings accounts. Affected individuals were offered settlements including up to $5,000 in reimbursement for documented out-of-pocket losses (e.g., identity theft, credit monitoring fees, ID replacement costs), $80 for lost time, and two years of medical data monitoring with $1 million in identity theft insurance. The breach led to a class-action lawsuit, with the organization settling to avoid litigation costs despite denying wrongdoing. The incident highlights risks to patient privacy, financial fraud, and long-term reputational damage for the healthcare provider.
Source: https://www.claimdepot.com/settlements/ppmt-data-settlement
Planned Parenthood Federation of America cybersecurity rating report: https://www.rankiteo.com/company/planned-parenthood-federation-of-america
"id": "PLA3703637112125",
"linkid": "planned-parenthood-federation-of-america",
"type": "Breach",
"date": "8/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Class members (U.S. individuals '
'notified of the breach)',
'industry': 'Healthcare',
'location': 'Montana, USA',
'name': 'Planned Parenthood of Montana (Intermountain '
'Planned Parenthood Inc.)',
'type': 'Non-profit healthcare provider'}],
'customer_advisories': 'Eligible individuals notified via mail/email with '
'notice ID and PIN for claims; options for medical '
'monitoring, reimbursement, and lost time compensation '
'provided',
'data_breach': {'data_exfiltration': 'Likely (alleged in lawsuit)',
'personally_identifiable_information': ['Names',
'Contact details',
'Medical records',
'Insurance '
'information'],
'sensitivity_of_data': 'High (medical and personally '
'identifiable information)',
'type_of_data_compromised': ['Personal information',
'Protected health information '
'(PHI)',
'Medical records',
'Healthcare insurance IDs',
'Medical record numbers',
'Health savings account (HSA) '
'information']},
'date_detected': '2024-08',
'description': 'A cybercriminal gained unauthorized access to Planned '
'Parenthood of Montana’s computer network in August 2024, '
'potentially exposing sensitive personal and medical '
'information belonging to patients. The breach led to a class '
'action lawsuit, with the organization agreeing to a '
'settlement offering reimbursements, medical data monitoring, '
'and compensation for lost time to affected individuals.',
'impact': {'brand_reputation_impact': 'Significant (settlement and public '
'disclosure)',
'customer_complaints': 'Class action lawsuit filed',
'data_compromised': ['Personal information',
'Protected health information (PHI)',
'Medical records',
'Healthcare insurance IDs',
'Medical record numbers',
'Health savings account (HSA) information'],
'identity_theft_risk': 'High (documented cases eligible for '
'reimbursement)',
'legal_liabilities': 'Class action lawsuit settled; up to $400,000 '
"in attorneys' fees, $5,000 in service "
'awards, and undetermined medical '
'monitoring/claimant payouts',
'systems_affected': ['Computer network']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (implied by '
'identity theft risks)',
'high_value_targets': 'Patient medical and personal '
'data'},
'investigation_status': 'Settled (no admission of wrongdoing)',
'motivation': 'Likely financial (data theft for fraud/identity theft or sale '
'on dark web)',
'references': [{'source': 'Class Action Settlement Notice'},
{'source': 'PPMT Data Incident Settlement Administrator'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit settled',
'regulations_violated': ['Likely HIPAA (Health '
'Insurance Portability and '
'Accountability Act)']},
'response': {'communication_strategy': 'Settlement notices sent to affected '
'individuals; public settlement '
'details provided',
'incident_response_plan_activated': 'Likely (settlement implies '
'response)'},
'stakeholder_advisories': 'Settlement notices sent to affected individuals; '
'public claim submission process established',
'threat_actor': 'Cybercriminal (unknown specific actor)',
'title': 'Planned Parenthood of Montana Data Breach (August 2024)',
'type': 'Data Breach'}