The Washington PostDemocracy Dies in Darkness

D.C.’s Planned Parenthood reports data was breached last fall

Months later, the organization has started reaching out to affected patients and donors

The headquarters of Planned Parenthood in D.C. (Bill O'Leary/The Washington Post)
Placeholder while article actions load

Planned Parenthood of Metropolitan Washington, D.C., on Friday revealed it had a breach of patient and donor information last fall.

In a notice posted to its website, the organization revealed that it found “unusual” activity on its networks on Sept. 3. At that time, it began securing its systems, started an investigation and notified law enforcement.

“Nothing is more important to us than our patients’ privacy,” the notice said. “We have extensive security measures in place, and we continuously take steps to enhance the security of our systems and the data entrusted to us. We will also continue to assist law enforcement’s efforts to identify and prosecute the perpetrators of this incident.”

On Oct. 21, the investigation determined that “unauthorized actors gained access to [the] network.” It also revealed that the data breach, which occurred from Aug. 27 to Oct. 8, impacted only the D.C. branch.

PPMW indicated that confidential data was breached during the incident when the hackers acquired copies of documents that contained patient information. Leaked information included names, addresses, dates of birth, diagnoses, treatments and prescription information. Social Security and financial information was also included in the breach. Joshua Speiser, director of communications for PPMW, said the breach affected a limited number of its patients but did not provide a more specific figure.

The notice did not mention that donors were compromised in the breach but those affected also received letters. Check images with a donor’s name, bank account number and routing number were among the documents included in the leak.

On April 9, PPMW began mailing letters to affected patients about whom they could reach for guidance on further protecting their information. The findings of the investigation found “no reason to suspect that there has been any fraudulent use of patient information associated with this incident.” However, the organization is providing patients whose Social Security and driver’s license numbers were compromised with complimentary credit monitoring and identity-theft protection services. Donors with compromised bank information did not receive the same service offer.

The organization has been working with law enforcement to continue investigating who committed the breach, but Speiser said they have “no indication PPMW was specifically targeted because of the work we do.”

This story has been updated.