Maria Orellana vs. Planned Parenthood Los Angeles

Case Background

On December 3, 2021, Plaintiff Maria Orellana filed the first data breach lawsuit against Planned Parenthood Los Angeles (“PPLA”) and Does 1 through 100 (“Doe Defendants”), followed by six related complaints. The complaints alleged violations of privacy due to PPLA’s negligence and failure to secure their personal data. A consolidated class complaint was filed on May 25, 2022, representing approximately 409,437 individuals who received data breach notices.

The case was heard in the California Superior Court, Los Angeles County. Judges Elaine Lu, Yvette M. Palazuelos, David S. Cunningham III, and Elihu M. Berle presided over the case. [Case number: 21STCV44106]

Cause

On December 1, 2021, Planned Parenthood Los Angeles (PPLA), a leading reproductive healthcare provider in Los Angeles County, announced a data breach. This breach, caused by PPLA’s negligent data security, exposed the personally identifiable information (PII) and protected health information (PHI) of approximately 400,000 patients. The compromised data included names, addresses, insurance details, birth dates, and clinical information such as diagnoses, procedures, and prescriptions.

Hackers infiltrated PPLA’s network between October 9 and October 17, 2021, using ransomware to steal files containing PII and PHI. Although PPLA discovered the breach on October 17, it failed to determine the full extent of the stolen data until November 4. Patients were notified on November 30 or December 1, over a month after the breach occurred.

This incident followed a similar 2020 data breach at another Planned Parenthood branch, where patient and donor records were compromised. In the PPLA case, affected patients faced heightened risks of identity theft, fraudulent transactions, and medical errors due to the stolen data.

PPLA had promised to protect patient information under its privacy policy, assuring that it would use PII and PHI only for authorized purposes. However, it failed to implement adequate security measures or meet industry standards, enabling hackers to exploit its vulnerabilities.

The breach left victims exposed to significant personal and financial risks. Hackers could misuse sensitive information to commit identity theft, file fraudulent tax returns, or engage in medical fraud, potentially leading to harmful misdiagnoses. PPLA’s actions directly undermined its commitment to improving patients’ well-being, resulting in severe and lasting harm for those affected.

Damages

Due to the Defendants’ willful failure to prevent the data breach, the Plaintiff and Class members became increasingly vulnerable to identity theft, fraud, and other forms of harm. They have already suffered financial damages, and this exposure has heightened their ongoing risk of further financial losses and related harms. This increased susceptibility has caused, and will continue to cause, significant challenges for those affected.

Key Arguments and Proceedings

Legal Representation

  • Plaintiff(s): Maria Orellana
    • Counsel for Plaintiff(s): Daniel S. Robinson | Wesley K Polischuk | Michael W. Olson
  • Defendant(s): Planned Parenthood Los Angeles | Does 1 through 100
    • Counsel for Defendant(s): Casie D. Collignon | Matthew D. Pearson

Claims

Plaintiffs filed claims for violations of privacy laws, including the Confidentiality of Medical Information Act, negligence, consumer protection laws, and unjust enrichment. They also accused the Defendants of invasion of privacy.

Settlement

The parties began mediation in September 2022 and reached a preliminary agreement shortly after. They continued negotiating terms and finalized the settlement in April 2023.

On April 19, 2023, a motion for preliminary approval was filed. In August, the court instructed counsel to provide additional information, including a numerical breakdown of claims, details about the fee-splitting agreement, and a release limited to the facts in the complaint. Counsel submitted a supplemental briefing on December 5, 2023, along with a second amended settlement agreement.

Judge Yvette M. Palazuelos granted preliminary approval on January 22, 2024, and set a July 2, 2024 deadline for the motion for final approval. The judge ordered class counsel to provide billing information and justify the requested costs at the final fairness hearing.

Plaintiffs filed a motion for attorney fees and costs on May 16, 2024. They submitted a motion for final approval on July 2, 2024. On August 8, 2024, Judge Elaine Lu granted conditional final approval. The judge specified that final approval would depend on class counsel providing additional evidence, including final accounting details, deficiency letters, and fraud reimbursement by September 3, 2024. The final approval would only be granted if counsel met these requirements.

On September 10, 2024, Judge Lu issued an order granting final approval. Under the settlement, PPLA agreed to pay $6 million. Of this, class counsel will receive $2,028,061.64 for fees and costs, each class representative will receive $1,500, and up to $883,554 will cover settlement administration expenses.

Court Documents:

Available upon request