Planned Parenthood of Metropolitan Washington, D.C.

Planned Parenthood of Metropolitan Washington, D.C., functions as a healthcare provider in the Washington, D.C. metropolitan area, offering medical services that generate and require the secure handling of sensitive patient information. The organization operates under several similar names, including Planned Parenthood of Metropolitan Washington, D.C. and Planned Parenthood Metro Washington, with its headquarters located in the United States of America. Clinical interactions involve the creation and maintenance of records containing personal identifiers such as names, addresses, and dates of birth, alongside medical documentation including diagnoses, treatments, and in some instances health insurance details, financial account information, and Social Security numbers. This data scope indicates comprehensive patient care activities, though specific service offerings are not detailed in available records. The provider serves a local population within the capital region, but quantitative measures of patient volume or facility count are not provided. As an entity handling protected health information, it falls under regulatory frameworks governing patient data privacy and security, such as those mandating timely breach notifications. No ownership structure or affiliation with larger health systems is indicated in the current context.

On September 3, 2020, the organization suffered a security breach characterized by unauthorized access to its network and the exfiltration of sensitive patient documents. The compromised data encompassed a wide array of personal and medical information, including names, addresses, dates of birth, medical records, clinical details, and occasionally financial and insurance data as well as Social Security numbers. While the organization reported impacting 500 individuals to meet regulatory deadlines, available evidence suggested the actual exposure might have affected a larger number of patients. Patient notifications were conducted approximately five months after the breach was discovered, a delay that exceeded the typical 60-day requirement without any explanation provided for the tardiness. At the time of reporting, the incident remained under investigation by relevant authorities. No subsequent updates on the investigation findings or remediation measures are included in the available information.