The Fred Hutchinson Cancer Center, federal law enforcement and forensic security experts are still investigating after some clinical data was allegedly leaked in a cyberattack Thanksgiving week. (Mike Siegel / The Seattle Times)
At least seven class-action lawsuits have been filed against Fred Hutchinson Cancer Center after some clinical data was allegedly leaked in a cyberattack last month.
The Nov. 19 cybersecurity incident resulted in an apparent breach of some patient and employee information, the lawsuits allege, which was then followed by spam threats emailed to a number of people whose data hackers said they stole. In the past week, complaints — many accusing Fred Hutch of negligence and breach of contract — have started to file in.
One complaint, filed this week in King County Superior Court, says the Seattle cancer care center “owed a duty” to plaintiffs Alexander Irvine and Barbara Twaddell, who received services from Fred Hutch, to provide “reasonable and adequate security measures to secure, protect and safeguard” their health information.
The suit also accuses Fred Hutch of failing to promptly notify those whose data might have been leaked and alleges hackers were able to spread personal information before patients could take “steps to protect” themselves.
Both Irvine and Twaddell heard from the alleged hackers before they received notification from Fred Hutch, said their attorney Alex Strong.
“There can be long-term consequences to having your info stolen,” Strong said. “Their private information is out there now.”
Another lawsuit — filed on behalf of Fred Hutch patient Shawna Arneson — cites concerns about identity theft, fraud and other potential criminal use of personal and bank details.
Fred Hutch has said it’s working through the data breach notification process required by the federal Office of Civil Rights and continues to reach out to those whose data might have been leaked.
“We have 60 days to notify individuals who have been impacted,” Christina VerHeul, Fred Hutch’s associate vice president of communications, said in an email this week. “That outreach has not yet been completed, but is why we’re working to complete the investigation as quickly as we can so we can send out notifications to those impacted.”
She added that notifications will arrive via mail to people’s homes.
“In the meantime, we have tried to reach as many patients as possible to alert them of the security incident,” VerHeul wrote. “On December 1-2, we sent notifications via MyChart. We then followed up Dec. 6-7 with an email to patients. We have also put information on our website and in the media throughout that time.”
She declined to specifically comment on any ongoing litigation.
Fred Hutch has shared limited details about the investigation into the Thanksgiving week hack, which hit a portion of the health care system’s clinical network, but believes the hackers are based outside the U.S. The center took its clinical network offline within 72 hours and has since added more “defensive tools” and increased data monitoring.
The number of people impacted by the breach remains unclear.
The cancer care center has not yet offered credit monitoring services for affected patients. Instead, it encouraged patients to keep a close eye on their bank statements and credit reports to protect against potential fraud or identity theft.
Because UW Medicine works closely with Fred Hutch on cancer care and research, the cyberattack involved data for some UW Medicine patients, even if they’ve never received services at Fred Hutch.
It’s unclear what UW Medicine patient data was impacted or how many patients may be affected, but the hospital said in a statement that it doesn’t currently believe its university-based system was compromised.
Timothy Emery, another attorney representing patients whose data might have been leaked, called the cyberattack an “egregious privacy breach.”
“Patients, many of whom are at the most vulnerable point in their lives, are now faced with ransom emails, identify theft, and fraud,” Emery said in an email. “We hope that Fred Hutch will do the right thing and work with Washingtonians to protect their financial and medical information.”
Emery is also representing several patients whose data was targeted in a similar cyberattack this year involving Proliance Surgeons, a practice that includes surgeons and other providers throughout the state. Although the breach occurred in February, Proliance teams didn’t realize patient data had been compromised until May and didn’t notify a number of patients until late November, according to several patients who shared emails and letters from the surgical group.
The leaked information could include names, dates of birth, social security information, medical treatment information, health insurance, phone numbers, email addresses and other information, Proliance said in a statement.
Those with questions about the Proliance cyberattack are encouraged to call the center at 1-833-609-3856.
Anyone who receives suspicious or threatening calls or emails related to the Fred Hutch breach should report them to the FBI’s internet crime complaint center at ic3.gov, according to health care organization. Then, block the sender and delete the message. Do not send any money, Fred Hutch says.
Anyone with questions is encouraged to call Fred Hutch’s call center at 888-983-0612, which is open from 6 a.m. to 6 p.m. Monday to Friday and 6 a.m. to 2 p.m. Saturday and Sunday.
If you have received information that your data has been compromised, call Emery | Reddy, PLLC today for a free case review.