A hacker accessed the personal information of roughly 400,000 patients of Planned Parenthood Los Angeles in October, the reproductive healthcare provider said Wednesday.
Planned Parenthood Los Angeles said in a statement that there is no evidence so far that any patients’ information was used for fraudulent purposes, and it was notifying patients whose information was accessed.
Staff members first noticed suspicious activity on their computer network Oct. 17, according to the statement. Planned Parenthood Los Angeles took its systems offline, notified law enforcement and retained a third-party cybersecurity firm to help investigate.
The investigation, which is ongoing, has determined that a hacker got access to the healthcare provider’s network between Oct. 9-17, according to the statement. The hacker installed malware and took some files from the system.
Once Planned Parenthood identified the affected files, it began a review to determine whether they contained any patient information, according to the statement.
On Nov. 4, the organization identified files that had certain patients’ names as well as one or more of the following: dates of birth, addresses, insurance identification numbers, clinical data, diagnoses, treatments provided and prescription information, according to the statement.
Planned Parenthood Los Angeles has taken steps to enhance security measures and protect patients’ information such as increasing network monitoring, working with an external cybersecurity firm and hiring additional cybersecurity resources and personnel, according to the statement.
“PPLA takes the safeguarding of patients’ information extremely seriously, and deeply regrets that this incident occurred and for any concern this may cause,” the statement said.
Out of caution, Planned Parenthood is sending letters to the affected patients explaining what happened and outlining steps they can take to protect themselves from fraud.
“Patients are encouraged to review statements from their healthcare providers or health insurers and contact them immediately if they see charges for services they did not receive,” the statement said.
The hack was limited to Planned Parenthood Los Angeles and didn’t affect any other affiliates, according to the statement.
The Washington Post first reported the data breach on Wednesday.