Cybercrime

Planned Parenthood of Montana confirms cyberattack

A prolific ransomware operation claims to have stolen 93 gigabytes of data.

September 5, 2024

Planned Parenthood signage on August 19th 2022 in New York City. (Photo by Bill Tompkins/Getty Images)

Planned Parenthood of Montana confirmed Wednesday that it was targeted in a late-August “cybersecurity incident” and that it is investigating the matter.

The statement from Planned Parenthood of Montana CEO & President Martha Fuller said the organization identified the incident Aug. 28 and “immediately implemented our incident response protocols, including taking portions of our network offline as a proactive security measure.”

The statement came after RansomHub, a prolific ransomware group, listed the nonprofit on its website Wednesday. The listing, which included screenshots of documents the attackers said came from within Planned Parenthood, claimed that 93 gigabytes of data was stolen. The attackers have given Planned Parenthood until Sept. 11 to pay an undisclosed ransom or have the material published.

The sample material so far does not seem to include private patient data. The incident occurred eight days after Montana’s secretary of state certified that a coalition of abortion rights groups had collected enough valid signatures to ensure a vote on adding a right to abortion to the state’s constitution in this November’s election.

“We are aware of the RansomHub post,” Fuller said, “and want to assure our community that we are taking this matter very seriously. We have reported this incident to federal law enforcement, and will support their investigation.”

The organization is investigating “the cause and scope of the incident,” Fuller said.

Since emerging online Feb. 10, RansomHub has posted roughly 232 observed targets on its page, according to data collected by eCrime.ch, an online cybercrime research platform. The group operates as a ransomware-as-a-service operation, where affiliates use the platform and ransomware variant to carry out the attacks and split extortion proceeds with a core group of developers.

The Cybersecurity and Infrastructure Security Agency said in an Aug. 29 advisory that RansomHub has “established itself as an efficient and successful service model” and has encrypted and exfiltrated data from at least 210 victims since February.

RansomHub has been tied to major incidents in its relatively brief run, most recently as the rumored variant used in an attack and data exfiltration that targeted the energy services titan Halliburton, which the company said it detected Aug. 21. Halliburton has not confirmed that RansomHub was involved.

RansomHub was also the platform used in a second extortion attempt in April targeting UnitedHealth Group’s subsidiary Change Healthcare. Attackers originally working with the now-defunct ALPHV ransomware platform took stolen Change Healthcare data to RansomHub after ALPHV’s administrators scammed affiliates out of their portion of a $22 million ransom payment ALPHV received from UnitedHealth Group.