The Fred Hutchinson Cancer Center was the target of a Thanksgiving week cyberattack, but most details about the breach remain murky, the Seattle health care system reported Friday afternoon.
Fred Hutch teams noticed some "unauthorized activity" last week on "limited parts" of the health care system's clinical network, as opposed to its research network, said Christina VerHeul, the organization's associate vice president of communications.
"We're still assessing what the potential impact could be to patients and employees," VerHeul said in an interview. "We have forensic teams who are assessing the level of data compromised and, as we know more, we'll be able to alert folks as quickly as we possibly can."
VerHeul said investigators didn't yet know what data was at risk but said the clinical network "may" include patient information.
"The reality is, we don't know to what extent information has been obtained, nor any of the details of what that information is," she said. "That's what we're still trying to investigate."
VerHeul didn't have an estimate for how long the investigation — involving both federal law enforcement and forensic security experts — might last, but it "could take weeks," she said. Notifications will be sent to patients within 24 hours, VerHeul said Friday.
Within 72 hours of detecting the security issue, the clinical network was taken offline (and remains offline), she added. All clinics remain open and continue to serve patients, according to a statement from the health care organization.
MyChart, an online patient resource and messaging portal, is also still up and running, VerHeul said.
"The safety, wellbeing, and personal information of our patients and employees is of the utmost importance to Fred Hutch," the statement said.
The organization's clinical sites used to be housed within the Seattle Cancer Care Alliance, which merged with the 48-year-old Fred Hutchinson Cancer Research Center in April 2022 — rebranding as the Fred Hutchinson Cancer Center. Cancer researchers and doctors at Seattle Children's and UW Medicine are also part of the collaboration, the organizations said at the time.
The clinical and research networks remain separate, VerHeul said, noting the research side was not impacted by the security breach.
Fred Hutch wasn't the only health care organization that experienced cyberattacks last week. Ardent Health Services, a Tennessee-based health care system with 30 hospitals in five states, took its IT systems offline on Thanksgiving morning after discovering evidence of a ransomware attack, Becker's Hospital Review reported.
The cyberattack diverted ambulances from hospitals in Texas, New Mexico and New Jersey, according to CNN.
Vanderbilt University Medical Center, which runs at least seven hospitals and other clinics in Tennessee, is also investigating a Thanksgiving cybersecurity incident, according to cybersecurity news site The Record.
"It's definitely not unique to us, unfortunately," VerHeul said.
She did not have an estimate for the number of people potentially impacted by the security attack, and was also unable to say when the organization's next update on the matter might be available.
"We have teams working around the clock to resolve this and ensure that we're continuing to provide safe, trusted care and security of information for our patients and employees," she said.
Anyone with questions about the cyberattack can visit fredhutch.org/datasecurity or, starting Saturday at 6 a.m., can contact the Hutch's call center at 888-983-0612.
