DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Fred Hutch notifies more patients of November 2023 attack (1)

Posted on May 5, 2024 by Dissent

In December 2023, UW’s Fred Hutchinson Cancer Center  (“Fred Hutch”) reported a November cyberattack that involved the exfiltration of patient data and attempted extortion of patients. DataBreaches contacted Fred Hutch on December 8 to ask whether the attackers had encrypted their files and whether they had negotiated with the threat actors. They did not reply.

On December 27, after a threat actor told DataBreaches that Fred Hutch had been threatened with having their patients swatted, DataBreaches contacted Fred Hutch again. Again, they did not reply, even though they responded to another outlet that had picked up the story. DataBreaches reached out to Fred Hutch on January 12 about the swatting claim and their failure to reply to DataBreaches, writing, in part:

As one example, on January 5, The Register reported:

“Fred Hutchinson Cancer Center was aware of cyber criminals issuing swatting threats and immediately notified the FBI and Seattle police, who notified the local police,” a spokesperson told The Register today. “The FBI, as part of its investigation into the cybersecurity incident, also investigated these threats.”

My questions to you:

1. When did Fred Hutch first learn of the swatting threat?
2. When did Fred Hutch first contact law enforcement to report the threat?
3. Why did Fred Hutch decide NOT to alert patients to the threat? My impression is that patients never would have found out if I hadn’t revealed it in my reporting. Did Fred Hutch fear that notifying or alerting patients would needlessly worry them? What was Fred Hutch’s thinking about this transparency question?

Once again, Fred Hutch did not reply.

Data Leaks But Patients Not Told?

By the end of December, threat actors calling themselves Hunters International had already leaked data. Data was also up for sale on a popular hacking forum and Seraph Market.

Yet none of Fred Hutch’s public disclosures notified the 890,959 patients that their data had leaked.

At last check, the information remains available on two sites.

More Patients Notified

On April 5, Fred Hutch sent a notification letter to additional patients. Their letter explains:

During our ongoing analysis, on or about February 12, 2024, we discovered that an additional Fred Hutch database containing information for individuals who received care at UW Medical Center, Harborview Medical Center and/or UW Medicine Primary Care clinics had been involved in the incident.

What Information Was Involved? The information in the database may include your contact information, such as your name, address, phone number, and/or email address; date of birth; health insurance information; medical record number; and limited clinical information related to registration, such as diagnosis or procedure codes, provider name, and/or allergy information. The information involved did not include your Social Security number or financial information, nor was Fred Hutch’s electronic medical record system involved or accessed.

According to someone who received the letter, there was no offer of any complimentary mitigation services.

DataBreaches could not determine if patient data from these three facilities was part of the initial leak and has contacted the seller to ask if they had any patient data from UW Medical Center, Harborview Medical Center, and/or UW Medicine Primary Care. DataBreaches will update this post if a reply is received.

Update of May 14, 2024:  The seller informs DataBreaches that they no longer remember but that they had not pivoted to UW and the data they had gotten from those entities had been because they were shared on Fred Hutch’s system.

Related posts:

  • Fred Hutch failed to reveal threats of potential swatting attacks until this site revealed the threat. Should they have disclosed it themselves?
  • Seattle cancer patients face blackmail threats after recent Fred Hutch data breach
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Recent attacks on Fred Hutch and Integris: Is attempting to extort patients directly becoming the “new normal?”
Category: BlogCommentaries and AnalysesHackHealth DataHIPAAOf NoteU.S.

Post navigation

← Forensic reports are NOT privileged — Ontario Divisional Court
More than 380,000 additional NYC students had info breached in 2022 Illuminate Education hack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.