Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million
Reproductive healthcare services provider Planned Parenthood Los Angeles located in Los Angeles County proposed a $6 million settlement to take care of all claims associated with a 2021 data breach that breached the personal data of over 409,437 patients.
From October 9, 2021 to October 17, 2021, hackers got access to the Planned Parenthood Los Angeles network, extracted sensitive patient information, and utilized ransomware for file encryption. On October 17, 2021, Planned Parenthood uncovered the ransomware attack. On November 4, 2021, it was confirmed that the stolen records included patient information. The stolen information included names, birth dates, addresses, diagnoses, medical insurance data, and medical data, such as procedures and prescription medications.
The U.S. District Court of Central California is litigating the lawsuit involving the Planned Parenthood Los Angeles Data Breach. Allegedly, Planned Parenthood Los Angeles’ negligence is due to its failure to apply reasonable and proper cybersecurity steps consistent with industry requirements and had those procedures been enforced, the ransomware attack and data breach might have been prevented. The lawsuit claimed violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), and the California Confidentiality of Medical Information Act (CMIA).
Based on the lawsuit, the occurrence of the breach was such that patients are more likely to experience harm, because it happened during the Supreme Court debates about abortion. The stolen information likewise contained highly sensitive health data, for example, abortion processes, sexually transmitted diseases treatment, cancer screening data, and emergency contraception medications.
Planned Parenthood Los Angeles opted to resolve the lawsuit without confessing wrongdoing. Claims up to $10,000 will be accepted to pay for recorded losses sustained due to the data breach, which include bank costs, fraudulent charges, credit expenses, and losses due to identity theft and fraud. Class members may claim around 7 hours of lost time valued at $30 an hour. Affected individuals can get credit monitoring and identity theft protection services for three years, including identity theft protection coverage worth $1 million.
Class members are likewise eligible for statutory damages, the payments of which are based on participation rates. Statutory damages will be paid using what is left of the $6 million fund after paying the claims. In case there is a 10% participation rate, the estimated statutory damages are approximately $66 per class member. Class members refer to those who received notification about the data breach from Planned Parenthood Los Angeles in or about November 2021.
The last date to file for objection/exclusion is on June 6, 2024. The last day to file claims is on June 7, 2024. The scheduled final hearing is on August 8, 2024
Children’s Healthcare of Atlanta Faces Lawsuit for Sharing Health Data on Facebook
Children’s Healthcare of Atlanta is facing a class action lawsuit for using website tracking codes. Based on the lawsuit, Children’s Healthcare of Atlanta used Meta pixel tracking code on its MyChart patient portal and its CHOA.org website. Children’s Healthcare of Atlanta wanted to gather information for marketing purposes through the tracking code and sent the collected information to Facebook, which was employed to serve targeted advertisements.
The Superior Court of DeKalb County State of Georgia is litigating the lawsuit, which alleges that the tracking code was intentionally set up to gather user information from the website and patient site and that the tracking code sent information to Facebook, which includes sensitive health data like data about patients’ health issues, consultation information, and treatments. The data wasn’t unidentified, since it was connected to individuals through identifiers like Facebook IDs, IP addresses, and browser and device details.
The lawsuit claims that using tracking code on the website and patient portal, and the succeeding disclosures of protected health information (PHI) to Facebook violated the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Healthcare of Atlanta privacy policy. The plaintiff claims that she was not told that Children’s Healthcare of Atlanta would be disclosing her and her children’s info to third parties for income purposes, did not give her permission, and was not informed that the information will be made available to Facebook, which the lawsuit identified as a company with a history of consumer privacy violation just to increase advertising revenue.
The lawsuit claims the plaintiff and class members were hurt by the disclosures, which include but are not restricted to an attack on their privacy rights, and alleges invasion of privacy, negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, bailment and breach of confidence. The lawsuit wants damages and other payments that the court believes are just and appropriate. The legal representatives of the plaintiff and class are lawyers from the law companies Alonso Wirth; Stranch, Jennings & Garvey; Cohen & Malad; and Turke & Strauss.
The Seattle Children’s Hospital (SCH) lawsuit had the same accusations about using Meta pixel but a Washington court lately dismissed the case with prejudice. Seattle Children’s Hospital contended that it only sent anonymous information to third parties, that its privacy policy explained the sharing of anonymous information with third parties, and that no tracking code was placed on its patient site. SCH stated any identifiable data that was shared was because the plaintiffs were using browsers that they authorized to share identified data.
