Hackers Threaten Cancer Center Patients in Washington Following Data Breach
The threatening emails said 800,000 patients had their names, Social Security numbers, addresses, phone numbers, medical histories, lab results, and insurance histories stolen.
Seattle, Washington – Some current and former patients who were treated at the Fred Hutchinson Cancer Center and the University of Washington (UW) have started to receive threatening emails from hackers following the November 19 data breach against the UW healthcare facilities.
Last month, hackers hit a portion of the Seattle healthcare facility’s network. The center said the breach may have led to the leakage of some patient data, reports the Seattle Times. Within 72 hours, Fred Hutchinson took its clinical network offline, notified the FBI, hired a security firm to investigate the incident, added “defensive tools” and increased data monitoring. However, it didn’t offer credit monitoring to the patients whose data was stolen. Rather, it advised victims to monitor their credit.
This week, some former and current patients started receiving email messages directly from the hackers, threatening to leak their personal information if they don’t pay up, reports MyNorthwest. The message received by one victim said, “Your private date and medical history is being sold on dark net markets.”
The message also said 800,000 patients had their names, Social Security numbers, addresses, phone numbers, medical histories, lab results, and insurance histories stolen.
The email asked the victim for $50 to scrub his information from the dark web.
Fred Hutchinson Cancer Center is advising victims who received these emails to not pay the ransom and to contact the FBI’s Internet Crime Complain Center. It also advised victims to then block the sender and delete the message.
The data breach has prompted the filing of a class action lawsuit against the Fred Hutchinson Cancer Center, University of Washington School of Medicine, UW Medical Center, and others by Turke & Strauss LLP, based in Madison, Wisconsin. The suit says the defendants didn’t provide security to stop “a flood of extortionary threats by cybercriminals to defendants’ current and former patients,” reports KOMO.
Fred Hutchinson wasn’t the only healthcare facility whose network fell victim to a cyber attack in mid- or late November. Hospital emergency rooms in several states were forced to divert emergency vehicles to other facilities due to a slew of cybersecurity incidents on Thanksgiving Day. The affected hospitals were in Texas, Idaho, New Jersey, Kansas, Oklahoma, Tennessee, and New Mexico.
In response to the data breach, Fred Hutchinson released the following press release:
Notice of information security incident involving Fred Hutchinson Cancer Center
SEATTLE – DECEMBER 1, 2023 – Fred Hutchinson Cancer Center today announced the detection of unauthorized activity on limited parts of the Center’s clinical network. Upon learning of the situation, Fred Hutch took immediate action to quarantine the servers and contain the impact of the incident, including proactively taking their clinical network offline. Fred Hutch promptly notified federal law enforcement and retained a leading forensic security firm to further investigate the incident.
All Fred Hutch clinics remain open and actively serving patients as the investigation continues.
Fred Hutch is committed to the safety, wellbeing, and safeguarding of patient and employee information and is continuously updating and enhancing systems to prevent external parties from accessing information. We have implemented additional defensive tools and increased monitoring to further protect data.
Fred Hutch is working to complete the investigation as quickly as possible and will contact any individuals whose information was involved. As a precautionary measure, Fred Hutch recommends individuals remain vigilant to protect against potential fraud and/or identity theft by reviewing account statements, monitoring credit reports, and notifying financial institutions of any potential suspicious activity. Individuals may also wish to review the tips provided by the Federal Trade Commission (or FTC) on fraud alerts, security/credit freezes and steps that they can take to avoid identity theft.
For more information and to contact the FTC, please visit https://www.identitytheft.gov/#/ or call 1-877-ID-THEFT (1-877-438-4338). You may also contact the FTC at Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Additional information can be found on Fred Hutch’s dedicated webpage, or those impacted can contact the call center for support at 1-888-983-0612.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!