In December 2023, UW’s Fred Hutchinson Cancer Center (“Fred Hutch”) reported a November cyberattack that involved the exfiltration of patient data and attempted extortion of patients. DataBreaches contacted Fred Hutch on December 8 to ask whether the attackers had encrypted their files and whether they had negotiated with the threat actors. They did not reply.
On December 27, after a threat actor told DataBreaches that Fred Hutch had been threatened with having their patients swatted, DataBreaches contacted Fred Hutch again. Again, they did not reply, even though they responded to another outlet that had picked up the story. DataBreaches reached out to Fred Hutch on January 12 about the swatting claim and their failure to reply to DataBreaches, writing, in part:
As one example, on January 5, The Register reported:
“Fred Hutchinson Cancer Center was aware of cyber criminals issuing swatting threats and immediately notified the FBI and Seattle police, who notified the local police,” a spokesperson told The Register today. “The FBI, as part of its investigation into the cybersecurity incident, also investigated these threats.”
My questions to you:
1. When did Fred Hutch first learn of the swatting threat?
2. When did Fred Hutch first contact law enforcement to report the threat?
3. Why did Fred Hutch decide NOT to alert patients to the threat? My impression is that patients never would have found out if I hadn’t revealed it in my reporting. Did Fred Hutch fear that notifying or alerting patients would needlessly worry them? What was Fred Hutch’s thinking about this transparency question?
Once again, Fred Hutch did not reply.
Data Leaks But Patients Not Told?
By the end of December, threat actors calling themselves Hunters International had already leaked data. Data was also up for sale on a popular hacking forum and Seraph Market.
Yet none of Fred Hutch’s public disclosures notified the 890,959 patients that their data had leaked.
At last check, the information remains available on two sites.
More Patients Notified
On April 5, Fred Hutch sent a notification letter to additional patients. Their letter explains:
During our ongoing analysis, on or about February 12, 2024, we discovered that an additional Fred Hutch database containing information for individuals who received care at UW Medical Center, Harborview Medical Center and/or UW Medicine Primary Care clinics had been involved in the incident.
What Information Was Involved? The information in the database may include your contact information, such as your name, address, phone number, and/or email address; date of birth; health insurance information; medical record number; and limited clinical information related to registration, such as diagnosis or procedure codes, provider name, and/or allergy information. The information involved did not include your Social Security number or financial information, nor was Fred Hutch’s electronic medical record system involved or accessed.
According to someone who received the letter, there was no offer of any complimentary mitigation services.
DataBreaches could not determine if patient data from these three facilities was part of the initial leak and has contacted the seller to ask if they had any patient data from UW Medical Center, Harborview Medical Center, and/or UW Medicine Primary Care. DataBreaches will update this post if a reply is received.
Update of May 14, 2024: The seller informs DataBreaches that they no longer remember but that they had not pivoted to UW and the data they had gotten from those entities had been because they were shared on Fred Hutch’s system.