Planned Parenthood patients are filing a lawsuit concerning the theft of their sensitive information from Laboratory Services Cooperative (LSC). Planned Parenthood centers in 30 states, including the District of Columbia, use this diagnostic testing service provider in Seattle, WA.
On October 27, 2024, LSC discovered unauthorized activity within its computer system. The forensic investigation affirmed in February 2025 the unauthorized access by a third party to its system and the theft of files that included sensitive patient information, such as names, contact details, birth dates, medical and clinical data, medical insurance data, billing and claims data, payment card details and banking details, Social Security numbers, passport numbers, driver’s license numbers, and other highly sensitive data. The breach also affected the employees, whose dependent or beneficiary details were potentially stolen during the attack. Altogether, the data breach impacted roughly 1.6 million people who received notification letters in April 2025. The victims will also receive free credit monitoring and identity theft protection services.
LSC is now facing three class action lawsuits because of the data breach. The lawsuits Daniels v. Laboratory Services Cooperative, Doe v. Laboratory Services Cooperative, and Wynn v. Laboratory Services Cooperative were filed in the U.S. District Court for the Western District of Washington. The lawsuits claim LSC was negligent for not implementing good and proper cybersecurity measures to secure sensitive patient information. If cybersecurity measures had been implemented, the data breach might have been averted. The lawsuits also claim LSC committed breach notification failures, because it issued notification letters 5 months after breach discovery, and the letters didn’t provide the important details i.e., when the breach happened, how it was discovered, and how the attackers accessed its system. The lawsuits also allege invasion of privacy, claims of breach of third-party beneficiary contract, as well as violations of the HIPAA Data Breach Notification Law, and the Washington Consumer Protection Act.
The lawsuits want a jury trial, payment for damages, and injunctive relief, which includes a court order requiring LSC to apply a variety of security options to avoid the same data breaches later on. Security options could include external security audits, encryption, penetration testing, and the removal of the personally identifiable information (PII) of people impacted by the data breach.
Image credit: Balint Radu, AminaDesign / AdobeStock
