Patients of the Fred Hutchinson Cancer Center (Fred Hutch) are now receiving email threats after the center faced a data breach.
What happened
Early this month, Fred Hutch, a Seattle-based cancer research and treatment center with over 10 clinical sites, disclosed they had been the target of a cybersecurity incident. University of Washington Medicine, a medical facility that frequently partners with Fred Hutch, also had impacted patients.
The incident took place on November 19th, 2023. According to their press release, when Fred Hutch discovered the threat, they immediately isolated the impacted servers and took their network offline. Fred Hutch also notified federal law enforcement and is utilizing a security firm to investigate.
The investigation is ongoing, and Fred Hutch is implementing additional defensive tools and monitoring. They are otherwise operating as normal.
What’s new
According to the Seattle Times, some victims are now receiving threats following the breach. The spam emails have been received by current and former Fred Hutch patients as well as UW Medicine patients. The email claimed to have names, Social Security numbers, medical history, insurance information, and other private data from over 800,000 patients.
Fred Hutch has not confirmed who is responsible for the attack. According to a separate source, The Hunters International ransomware gang has claimed responsibility. On December 15th, the ransomware organization added Fred Hutch to their extortion portal on the dark web, threatening to leak 533.1GB of data. Fred Hutch has stated they believe the perpetrators are based outside the US, but their investigators have not determined if data is being sold on the dark web.
The spam email listed patient’s addresses, phone numbers, and medical record numbers. Victims were told they could pay $50 to have their information removed from where it is supposedly on sale.
Fred Hutch has advised recipients to report these emails to the FBI at ic3.gov, block the sender, and delete the message. Fred Hutch urges victims to not send money.
What was said
The emails read, “If you are reading this, your data has been stolen and will soon be sold to various data brokers and black markets to be used in fraud and other criminal activities.”
Fred Hutch spokesperson, Christina VerHeul, said the company “became aware of these emails this week and have been providing guidance to patients on what to do if they receive one.”
CEO Tim Dellit said, “Some patients have received an email from the cyber-criminals and we are sorry if you receive one…Unfortunately, this is a common tactic they use.”
The bottom line
As Fred Hutch continues investigating the breach, they must also work hard to regain patient trust. One impacted patient said he is currently not exploring legal action but is also not ruling it out. Breaches like this can be difficult to resolve; hospitals are often advised against paying the ransom, which can result in the data being sold on the dark web.
Fred Hutch has not released information on the total number of impacted individuals or what data was affected. They have yet to offer any credit monitoring services, saying they will provide more details once the full extent of the breach is determined.
Read more: Refusal to pay is the newest strategy to combat ransom attacks.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
