Planned Parenthood lab services provider Laboratory Services Cooperative (LSC) has disclosed a data breach that exposed the health data of 1.6 million people after hackers breached its systems.
Seattle, Washington-based LSC is a 501(c)(3) nonprofit that provides reproductive lab services to Planned Parenthood and other organizations across 35 U.S. states.
LSC discovered the breach after detecting suspicious activity on its network on October 27, 2024, and “immediately engaged third-party cybersecurity specialists to determine the nature and scope of the incident and notified federal law enforcement.”
The investigation determined that an unauthorized entity had breached certain portions of the network and copied some files containing personal information.
Lab services provider LSC breach leaked sensitive health data
While data varied by individual, the data breach exposed personally identifiable information, medical and insurance information, and billing and financial data.
Specific personal details leaked included victims’ full names, Social Security Numbers, driver’s license or passport numbers, dates of birth, and government-issued IDs.
Medical details such as dates of service, diagnoses, treatments, lab results, provider, and facility details were also exposed during the LSC health data breach.
The LSC health data breach also exposed insurance information such as plan type, insurer, and member/group ID numbers.
Billing and financial details, such as claims, billing details, bank and payment card information, were also exposed.
According to a data breach notification filed with the Office of the Maine Attorney General, the lab services breach impacted 1.6 million people, including employees and patients.
“For LSC workers, the information involved may also include details about their dependents or beneficiaries if that information was provided to LSC,” the company stated.
However, only select Planned Parenthood centers, which the lab services provider cannot disclose due to privacy concerns, were affected.
“It is important to note that LSC began providing services to these centers at different times, with some partnerships starting as recently as the past few years,” the lab services provider added.
For now, LSC has set up a dedicated call center to “help determine whether a specific Planned Parenthood health center has partnered with LSC for lab testing services.”
Meanwhile, victims will receive complimentary credit monitoring through CyEx Medical Shield Complete for 12 to 24 months, depending on their state of residence, if they enroll by July 14, 2025. Victims can also utilize free annual credit reports from other credit reporting bureaus, such as Equifax, Experian, or TransUnion.
The lab services provider also advised victims to monitor their accounts and credit reports for suspicious activity and report any incidents to the Federal Trade Commission or law enforcement.
“Customers who may have had their data exposed in the LSC breach will need to stay alert for phishing attempts, new accounts being opened under their name, calls claiming to be bill collectors, and more. Affected parties should take advantage of any credit monitoring services that may be offered by LSC,” noted Chris Hauk, Consumer Privacy Champion at Pixel Privacy.
Additionally, LSC implemented additional post-breach protocols to prevent a similar incident in the future. LSC also hired cybersecurity experts to monitor the dark web, but has yet to find any evidence suggesting that the stolen health data has been misused or shared.
So far, no cybercrime group has taken responsibility for the LSC health data breach, and the lab services provider has not disclosed receiving any ransom demands.
However, cybercriminals rarely publicly expose breached companies to protect their reputation, while ransom negotiations are still possible. Nonetheless, paying a ransom does not guarantee that cybercriminals will delete the stolen health data or will not try to maximize their profits by selling it to other threat actors.
Healthcare organizations targeted by cyber attacks
Meanwhile, healthcare organizations are a lucrative target for cyberattacks, as health data fetches a premium price on underground hacking forums and is an invaluable tool for cyber extortion.
“Organizations operating in and around healthcare, especially those handling sensitive reproductive health data like Laboratory Services Cooperative, remain high-value targets for threat actors,” warned Nick Tausek, Lead Security Automation Architect at Swimlane. “LSC supports organizations across more than 35 states, managing lab testing, financial, and personal data, including for select Planned Parenthood centers. Medical organizations often operate in intricate networks with confusing regulatory oversight, making them a dangerous target.”
While the LSC data breach did not stem from Planned Parenthood systems, the reproductive health services provider suffered a cybersecurity incident in 2021 that exposed 400,000 patient records and resulted in a class action lawsuit.
“LSC’s role as a centralized lab service provider to organizations like Planned Parenthood and others across more than 35 states makes this not just a health data incident, but a targeted attack on reproductive healthcare infrastructure,” warned Ensar Seker, CISO at SOCRadar.
This incident is a reminder that cybersecurity must be treated as an integral part of patient care and operational resilience.
“To strengthen defenses against these threats, organizations should implement a layered security strategy. This includes maintaining strong cyber hygiene to minimize attack surfaces and leveraging AI-driven automation to enhance visibility across the IT environment and accelerate incident response,” concluded Tausek.
