The Planned Parenthood Hack: HIPAA Breach Notification Rule in Context

What is the most sensitive decision you've ever had to make? It might linger at the back of your mind, like an untold secret. It might color your choices, lurk in your thoughts, and stay with you for life.

Now imagine if the whole world learned this secret at once and there was nothing you could do about it. 

For many women in the Los Angeles, California region, this nightmare recently became a reality. The HIPAA breach notification rule came into play in December. 400,000 Planned Parenthood patients were to learn that their private health information was no longer private.

Needless to say, this news has shaken many individuals, who are seeking to better understand what happened and what to do next. 

What went wrong with the Planned Parenthood hack? How could appropriate HIPAA compliance training have prevented this incredibly sensitive patient data from leaking? Keep reading to learn why this moment in history makes this data breach particularly sensitive.

The Context For The HIPAA Breach

This is a tenuous time to be a woman or a person with a uterus in the United States. Supreme Court justices recently heard arguments about banning abortion procedures after fifteen weeks of pregnancy. As a result, many worry that the supreme court may overturn the historic Roe vs Wade ruling.

This would make a common medical procedure illegal for vulnerable members of the gender minority across America. 

Restricting the right to a medical procedure such as abortion is restricting an individual's right to bodily autonomy. This has been the case for much of history. Individuals have had to go to extremes, forming collectives such as JANE, to gain access to this lifesaving medical procedure. 

Planned Parenthood clinics offer a variety of health services, including low-cost cancer screenings. Even so, they have a national reputation as providers of abortion procedures.

In this country, one in four women will have an abortion in their lifetime. Clearly, keeping the details surrounding this procedure confidential is of the utmost importance. 

Should Women Worry?

Imagine that you have had an abortion. Whether it was a difficult choice or not, it was still a personal decision. Your privacy surrounding this choice matters.

The concern is that, in the wake of recent legislation changes, hacking a major abortion provider might have been malicious. Many women fear that the hackers intended to do harm. 

Many worried, for example, that this data could become part of a doxxing scheme. Doxxing is when private information is maliciously published on the internet. This can include health information, such as disclosing a woman's abortion history.

If this was to occur, an individual's employer could potentially gain access to this information.

It will be a relief to know that, although this breach became public this week, the actual hack took place before the recent Supreme Court hearings. Data suggests that the breach itself took place in October. Even so, the release of this data is concerning for those who fear that their professional reputation may be at risk. 

Look To the Law

The good news is that legal precedents exist that can protect an individual's employment in such situations.

The U.S. Equal Employment Opportunity Commission is very clear on this. They state that employers cannot fire someone for obtaining an abortion procedure. This includes the state of California, where this particular breach took place. 

The Pregnancy Discrimination Act also protects individuals seeking healthcare procedures surrounding pregnancy. This includes termination procedures. Two appellate rulings set this precedent: Turic vs. Holland Hospitality, Inc. and Doe vs. C.A.R.S. Protection Plus, Inc. 

In the case of the former, an employee avoided termination after debating whether to pursue abortion in front of coworkers. In the latter, the courts determined that receiving an abortion was not grounds for termination.

In both cases, it's clear that even the most religious or conservative employers cannot punish employees for abortion. Employees are free to pursue medical interventions undergone on their personal time. 

The HIPAA Breach Notification Rule

A HIPAA breach notification requirement comes into play when the information accessed during a hack or breach contains PHI. PHI stands for personal health information. It includes any personally identifying information tied to confidential medical procedures. 

During the Planned Parenthood breach in October, hackers accessed PHI. This necessitated contacting and notifying all 400,000 patients whose data became compromised. These individuals received formal notification this month. 

According to the letter, the information accessed by the hackers may have contained the following:

  • Patient's full names
  • Dates of birth
  • Home addresses
  • Insurance ID numbers
  • Clinical data
  • Diagnoses
  • Treatments provided 
  • Pharmaceutical prescription information 

The HIPAA Breach Notification Rule required Planned Parenthood to notify all patients affected, as well as the media. Internally, the rule required Planned Parenthood to inform its in-house HIPAA security authorities. Additionally, the rule required them to notify the OCR. 

The language in the rule requires that the notifications reach those affected "without reasonable delay." In most cases, covered entities must notify those involved in the breach within sixty days. This may be why patients received letters in December rather than at the time of the breach. 

The Past And The Future

Breaches such as these are not altogether uncommon. Even so, a Planned Parenthood breach can feel more sensitive, personal, and politically driven.

In 2015, a hack maliciously targeted the employees of a Planned Parenthood clinic. In 2020, there was a hack of the Metropolitan Washington D.C branch of the organization. That breach compromised financial information belonging to donors. 

In both cases, HIPAA law came into play. All involved received appropriate notification within the sixty-day window. Additionally, the branches took steps to reduce the likelihood of future attacks.

There is no suggestion that any harm occurred in the aftermath of either breach. In the case of the LA Planned Parenthood hacking, the same is true.

The Los Angeles branch of Planned Parenthood has committed to increased cybersecurity and network monitoring. They hope to prevent future hacks and restore patient confidence. There is currently no evidence that any of the data accessed has been part of doxxing or identity theft schemes. 

It seems unlikely that any new abortion legislation will affect Planned Parenthood patients in California. The liberal state is unlikely to restrict access to abortions regardless of Supreme Court rulings. 

Moving Forward After A Breach

What should individuals do in the aftermath of this breach?

Patients affected may wish to monitor statements from healthcare providers and health insurers. If anything looks incorrect, they should contact Planned Parenthood immediately. 

They may also wish to put a freeze on their credit files so that hackers cannot use personal data to open new accounts. This process is free. Those concerned can contact all three major credit bureaus online.

Additionally, it may be wise for those affected to pursue credit monitoring services. In the case of smaller breaches, these services are sometimes provided gratis by the affected organization. In the case of the large Planned Parenthood breach, those affected should pursue these services on their own. 

Downloading an authentication app may also put individuals at ease following a breach. This will ensure that nobody can impersonate you using your data without your consent.

Enabling two-step authentication on your accounts is a wise choice for your safety. This is true regardless of your involvement with this or any other breach. 

Check In With Yourself

For some women, the biggest concerns following such a breach might be psychological. These concerns, however, are unlikely to be due to the abortion procedure itself.

Undergoing an abortion procedure does not increase the risks of mental health conditions. These conditions include PTSD, depression, and anxiety. 

Women who experience multiple unwanted pregnancies may already have mental health risk factors. This violation of your privacy could compound preexisting health concerns. If this is true for you, you may wish to seek help. 

Consider seeing a therapist. If this is not possible, you might pursue other low-cost alternatives. For example, you might attend a support group or begin a meditation practice.

Downloading a mental health app is another inexpensive way to cope. These apps can provide you with tools and techniques to get you through a challenging period. 

Be aware that Planned Parenthood has taken steps to ensure that the data leaked cannot harm you. If you still have concerns about your safety, reach out to your healthcare provider, authorities, or a trusted friend. 

Your Health, Your Safety

No matter why you've sought medical care, your private medical data is confidential. The HIPAA breach notification rule seeks to keep your personal health information safe. This is true whether you're receiving a physical or an abortion.

The political environment makes this poorly-timed announcement feel ominous. Planned Parenthood is following every rule when it comes to responding to this unfortunate breach. If you take appropriate action, your data will remain private.