Cyber Incident Victim: Planned Parenthood of Metropolitan Washington, D.C.

On September 3, 2020, Planned Parenthood of Metropolitan Washington, D.C. (PPMW) detected unusual activity on its network systems, prompting immediate action to secure its infrastructure. The organization initiated an internal investigation and notified law enforcement agencies of the suspected breach. Forensic analysis confirmed unauthorized actors had accessed and exfiltrated documents containing sensitive patient information during the incident. The compromised data included patient names, addresses, dates of birth, medical record numbers, clinical details such as provider names, dates of service, diagnoses, treatments, and prescription information. For some individuals, exposed records additionally contained health insurance details, financial account information, and Social Security numbers. PPMW formally reported the hacking incident to the U.S. Department of Health and Human Services (HHS) on November 20, 2020, classifying it as a network server breach affecting 500 patients in its initial submission.

PPMW delayed notifying affected patients until approximately five months after discovering the breach, exceeding the 60-day notification window required under federal regulations. The organization’s public notice, published on its website, acknowledged the data access and exfiltration but provided no explanation for the delayed patient notifications. While PPMW emphasized no evidence of data misuse had been identified, the investigation conclusively determined that attackers had copied documents containing protected health information. The incident remained listed as open or under investigation in HHS records at the time of public disclosure. Impacted individuals were offered complimentary credit monitoring services, though the notice did not specify containment measures beyond initial system securing and investigative steps taken in September 2020.