Planned Parenthood Ransomware Attack Has Far Reaching Implications

The Planned Parenthood Los Angeles affiliate announced that their computer network was hit by a ransomware attack. The compromise occurred between October 9 and 17 and affected around 400,000 patients’ data.

What is concerning is the lack of details provided regarding who has the compromised data and what their intentions are, as it not only includes names but also incredibly sensitive data regarding their diagnosis and procedures. In a letter sent to affected patients LAPP stated:

On November 4, 2021, we identified files that contained your name and one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information.

Often patients utilize the services of Planned Parenthood for diagnosis of sexually transmitted diseases, as well as well as reproductive services among other procedures. This information is incredibly sensitive and of the type that individuals often want to keep very private.

In addition to the ransom demand itself, the greater risk is in this information being exposed either en masse, or leveraged for blackmailing individuals. However, in the letter to the patients affected there is no mention of the very real risk of this information being disclosed publicly or via blackmail, only for patients to look for fraud regarding billing irregularities.

At this time, we have no evidence that any information involved in this incident has been used for fraudulent purposes. However, in an abundance of caution, we wanted to notify you of this incident and assure you that we take this very seriously. It is always a good idea to review statements you receive from your health insurer and health care providers. If you see charges for services you did not receive, please call the insurer or provider immediately.

As profits for ransomware gangs and affiliates soar, these cybercriminal entrepreneurs have become more brazen in their attacks, expanding their targets to include hospitals, schools and critical infrastructure. These groups have also upped their tactics to not only encrypt the data, but also exfiltrate it and threaten to release it to put additional pressure on targets to pay the ransom. In this case, the public disclosure of this data could have a significantly larger impact than holding the data at ransom.

Given the political nature of some of the procedures if this information is exposed it can put individuals at risk, as there are activist groups and others who may target individuals who have had abortions at the clinic, for example, or use the information to harass them, or worse.

If a patient was treated for an STD, there is the risk of potential embarrassment and harassment as well. The location of the clinic targeted being in Los Angeles may not be a coincidence as there is the potential that in the 400,000 patients there may be celebrities, which could provide yet another lucrative target for blackmail from the attackers. 

Neither the letter sent to patients affected, nor the LAPP spokesperson’s comments mentioned which ransomware group was responsible or whether there have been threats to expose the information - however, ransomware gangs will often publicize their compromises with threats to release the data on a leaks page to put pressure on the target if their ransom demands are not met. 

Cybereason monitors multiple ransomware groups’ leaks pages and other underground forums, and we have not seen any group take credit for the attack or make threats to release the compromised data at this point, but the ransomware gangs often give some time for negotiation before posting any details.

In addition to monitoring for billing irregularities as suggested by LAPP, we suggest increased vigilance for those impacted to be on the lookout for any potential follow up attacks or blackmail attempts and to notify authorities of anything suspicious.

Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Ken Westin
About the Author

Ken Westin

Ken Westin is Director of Security Strategy at Cybereason. Ken has been in the security field for over 15 years, working with companies to bolster their security posture through threat hunting, insider threat programs and vulnerability research. In the past, he has worked closely with law enforcement, helping to unveil organized crime groups. His work has been featured in Wired, Forbes, New York Times, Good Morning America and others, and he is regularly reached out to as an expert on cybersecurity, cybercrime and surveillance.

All Posts by Ken Westin