A Fred Hutchinson Cancer Center cyberattack that breached part of its network last month continues to cause concern and anxiety among patients — many of whom started hearing directly from hackers this week.
Fred Hutch has shared limited details about the investigation into the Nov. 19 hack, which hit a portion of the health care system's clinical network, but said it "may" have leaked some patient data, according to the organization's associate vice president of communications.
The center took its clinical network offline within 72 hours, notified federal law enforcement, and brought in a forensic security firm to investigate, Christina VerHeul said in an interview last week.
It also added more "defensive tools" and increased data monitoring, but has not yet offered credit monitoring services for affected patients. Instead, it encouraged patients to keep a close eye on their bank statements and credit reports to protect against potential fraud or identity theft, according to an FAQ page on the cyberattack.
Then this week, the spam emails started to arrive.
The threats were sent to a number of former and current Fred Hutch patients — as well as some who have received care from Hutch partner UW Medicine — and claimed the names, Social Security numbers, phone numbers, medical history, lab results and insurance history of more than 800,000 patients had been compromised.
"If you are reading this, your data has been stolen and will soon be sold to various data brokers and black markets to be used in fraud and other criminal activities," the alleged hackers wrote, according to several emails shared with The Seattle Times.
VerHeul said she "couldn't speculate" about the total number of people who might have been impacted, but that the investigation continues. In 2022, Fred Hutch treated about 53,000 patients, according to its annual report.
The email said whoever was responsible for the cyberattack had already been in contact with Fred Hutch, which "refused to make a deal."
VerHeul said she didn't know whether or not Fred Hutch has been in contact with those responsible for the cyberattack. Based on available information, however, Fred Hutch has said it believes the perpetrators are based outside the U.S.
Investigators also still have yet to determine if patient data is, in fact, being sold somewhere, she said.
The spam email goes on to list the patient's address, phone number and medical record number. It also includes a link where patients' data is supposedly already on sale, with instructions on how to pay $50 to take it down.
"We became aware of these emails this week and have been providing guidance to patients on what to do if they receive one," VerHeul said in an email Friday.
Anyone who receives suspicious or threatening calls or emails should report them to the FBI's internet crime complaint center at ic3.gov, Fred Hutch told patients in an email this week. Then, block the sender and delete the message, the email said. Do not send any money, it urged.
"Our patients' health and safety is our top priority," Fred Hutch told patients.
UW Medicine leaders also reached out to their patients this week to let them know that because the hospital system works closely with Fred Hutch on cancer care and research, the cyberattack involved data for some UW Medicine patients, even if they've never received services at Fred Hutch.
"Some patients have received an email from the cyber-criminals and we are sorry if you received one," hospital CEO Tim Dellit wrote in the letter. "Unfortunately, this is a common tactic they use."
It's unclear what UW Medicine patient data was impacted, or how many patients may be affected, but the hospital said in a statement that it doesn't currently believe its university-based system was compromised.
While one former Harborview patient who received an email threat said he's not currently exploring legal action, he's "definitely not ruling it out," said the patient, who spoke on the condition of anonymity because he worried about his personal data being released online.
"The assumption we make when we visit providers (especially the UW family) is our data is safe," he wrote in an email.
Fred Hutch has yet to offer any credit monitoring support to patients, but VerHeul said information about potential services would be included in formal notification letters patients will receive in the next 60 days. The letters are required by the Office of Civil Rights for data breaches and will be sent to patients' home addresses.
According to Fred Hutch and UW Medicine, direct patient care has not been interrupted at any of their facilities, including Harborview Medical Center or any UW Medicine primary care clinics. All remain open.
MyChart, an online patient resource and messaging portal, and Epic, an electronic health records system, are both also still up and running.
The organization's clinical sites used to be housed within the Seattle Cancer Care Alliance, which merged with the 48-year-old Fred Hutchinson Cancer Research Center in April 2022 — rebranding as the Fred Hutchinson Cancer Center. Cancer researchers and doctors at Seattle Children's and UW Medicine are also part of the collaboration, the organizations said at the time.
The clinical and research networks remain separate, VerHeul said, noting the research side was not affected by the security breach.
Anyone with questions is encouraged to call Fred Hutch's call center at 888-983-0612, open from 6 a.m. to 6 p.m. Monday to Friday and 6 a.m. to 2 p.m. Saturday and Sunday.