Lab provider for Planned Parenthood discloses breach affecting 1.6 million people

A lab company providing services to some Planned Parenthood centers disclosed a data breach on Friday impacting about 1.6 million people.

Laboratory Services Cooperative (LSC) said it initially discovered the cyberattack on October 27 and began an investigation that was completed in February. 

The stolen data includes medical information like dates of service, diagnosis, treatments, lab results, treatment locations and the details of the care provided alongside personal information like health insurance numbers, bank account details, payment cards, Social Security numbers, IDs and more. 

For employees of LSC, the leaked information includes data from dependents or beneficiaries. The company filed breach notifications in Maine, California and other states. 

LSC provides lab testing services to a “select number” of Planned Parenthood centers in 30 states as well as the District of Columbia. The company warned that anyone who visited one of these centers and had lab tests done or were referred for lab tests may have had their information leaked. 

“It is important to note that LSC began providing services to these centers at different times, with some partnerships starting as recently as the past few years,” the company explained. 

“Our call center can help determine whether a specific Planned Parenthood health center has partnered with LSC for lab testing services.”

No hacking group has taken credit for the incident but LSC said the cybercriminals behind the attack accessed and removed files from their network. The company said it has hired cybersecurity firms to monitor the dark web for any of the stolen information, which it said has not appeared online as of April 10.

Victims are being offered one year of credit monitoring services.

Planned Parenthood clinics carry troves of incredibly sensitive healthcare data that patients would not want  public, including data on abortion procedures and more. Last year, outrage ensued after a pro-life political organization obtained mobile phone location data from a broker and used it to target people who had visited the organization’s clinics.

Women in multiple states who have dealt with pregnancy related issues, as well as abortion providers, have been arrested recently, making the exposure of information related to procedures particularly sensitive. Some prosecutors in states where abortion is now banned have even sought to access to medical information for women who receive out-of-state abortions. 

A lawsuit was filed in the fall accusing conservative activists of going so far as to intercept patients’ exchanges with local abortion clinics in an effort to stop procedures. In September, a ransomware gang attacked the Montana branch of Planned Parenthood.