On December 28, DataBreaches published snippets from a chat with a threat actor (TA) who claimed to have involvement with both the Fred Hutch cyberattack and the Integris cyberattack. In the course of that exchange, the TA surprised DataBreaches by claiming that they had threatened Fred Hutch with swatting patients. From DataBreaches’ previous reporting:
“So you are Hunters International?” DataBreaches asked them at some point. “we work with them” was the answer, with the contact later being more direct in saying, “I’m not hunters.”
They later added that, unlike Integris, Fred Hutch had talked with them “long time more” and it wasn’t just stalling. “they talked,” the contact repeated, adding that they “get upset when we threat to swat patients”
“Swat patients?” DataBreaches repeated.
“Swat,” they reiterated.
“Were you seriously considering swat????” DataBreaches asked.
Their answer was immediate and somewhat chilling: “why not?”
“That’s a next level of evil…. swatting cancer patients,” DataBreaches responded.
“We did not,” they answered.
DataBreaches cannot think of any other cyberattack on the healthcare sector (or any sector, for that matter) where threat actors tried to pressure victims to pay by threatening to have patients or customers swatted.
To be clear, DataBreaches does not know at this point whether the swat threat was actually made. DataBreaches reached out to Fred Hutch to inquire whether they had negotiated with the threat actors and whether the threat of swatting was made or mentioned. No reply has been received.
This site’s reporting was subsequently boosted by Becker’s Hospital Review. Other sites picked up the claim from there. Likely getting more media inquiries over the next week about the swatting issue, Fred Hutch issued a statement that has been reported elsewhere. The gist of their statement is that Fred Hutchinson Cancer Center was aware of cyber criminals issuing swatting threats and immediately notified the FBI and Seattle police, who notified the local police.
Their statement did not indicate any time frame, and Fred Hutch never even sent their statement to DataBreaches, who had contacted them about the swatting claim on December 27. So DataBreaches emailed their media contact for a third time on January 12. This time, the email read, in part:
I’m the journalist who broke the story that threat actors were claiming to have threatened to swat patients. That was on December 28 in my report at https://www.databreaches.net/recent-attacks-on-fred-hutch-and-integris-is-attempting-to-extort-patients-directly-becoming-the-new-normal/
[…]
My questions to you:
1. When did Fred Hutch first learn of the swatting threat?
2. When did Fred Hutch first contact law enforcement to report the threat?
3. Why did Fred Hutch decide NOT to alert patients to the threat? My impression is that patients never would have found out if I hadn’t revealed it in my reporting. Did Fred Hutch fear that notifying or alerting patients would needlessly worry them? What was Fred Hutch’s thinking about this transparency question?
Once again, Fred Hutch has not responded to inquiries from this site, but the questions will not go away just because they ignore this site’s inquiries.
Fred Hutch’s failures to be transparent and their failures to respond to this site’s reasonable questions leads DataBreaches to wonder:
If DataBreaches.net had not published that TA’s claim, would anyone have ever known about the swatting threat Fred Hutch subsequently acknowledged it knew about? When did they first know and why did they decide not to alert patients to the threat?
DataBreaches is not claiming that Fred Hutch was wrong not to timely disclose the threat, but there does need to be some discussion about what entities decide to withhold and when withholding of such threats is justified or puts people at additional risk of harm.
It seems likely to this non-lawyer that any covered entity that discloses that type of situation is more likely to be sued by patients or have that show up as a risk of imminent harm to obtain standing in any potential class action lawsuit, but does a covered entity have a duty to warn patients in this situation if they are not sure whether the threat actors would really do something or not?
If Fred Hutch took this seriously enough to alert the FBI who then alerted local police, isn’t that serious enough to alert the patients, too? Those familiar with SWAT likely know that although local police may be pre-warned, when an emergency call does come in, it may just get relayed to SWAT without anyone checking to see if there’s a flag on an address. DataBreaches does not know the situation in Washington State, but simply warning local police will likely not prevent all malicious SWAT attacks.
DataBreaches calls on Fred Hutchinson Cancer Center to forthrightly answer the questions this site put to them and encourages meaningful discussion among all stakeholders as to what should be “best practices” in breach disclosure in this type of situation.
DataBreaches also calls on members of Congress to seek answers from Fred Hutch since they haven’t seemed willing to answer DataBreaches’ questions. Links to this report will be sent to Senator Ron Wyden of Oregon and Senators Patty Murray and Maria Cantwell of Washington State.
DataBreaches welcomes thoughtful comments on this issue.
Image: AI-Generated SWAT Team. Source: Freepik.com.