Fred Hutch to pay 115 million to settle data breach lawsuit The Seattle Times

pFred Hutchinson Cancer Center has agreed to pay about 115 million to patients after a 2023 cyberattack put their personal data at riskppHackers targeted parts of Fred Hutchs clinical network around Thanksgiving a year and a half ago resulting in a wave of concern among former and current patients some of whom were inundated with spam messages and email threats after the breach At least nine lawsuits filed against Fred Hutch alleged the Seattle cancer care and health research center failed to provide adequate data securityppThe complaints have since been consolidated into one which King County Superior Court Judge Wyman Yip wrapped up with his final May 20 settlement orderppThe agreement was negotiated in good faith and is fair reasonable adequate and in the best interest of class members Yip wrote in the order ppIn a statement following the order Fred Hutch said the cancer center remains committed to safeguarding personal data and continues to invest in strengthening its securityppWe greatly value the trust of our patients and employees and take the security of personal information very seriously Fred Hutch spokesperson Christina VerHeul said in the statementppThe certified class consists of about 21 million people which includes anyone whose personal information was in a database that could have been accessed or viewed by hackers regardless of whether it was actually compromised VerHeul wrote That group includes patients employees and insurance policyholders she addedppA fraction of the eligible class about 140000 people submitted claims for settlement benefits by the May 7 deadline according to Cecily Jordan an attorney with Tousley Brain Stephens which represented patients Kim Stephens lead attorney for Tousley Brain Stephens called the claims rate robust and a bit higher than mostppThe personal information of some UW Medicine patients was also involved in the cyberattack even if they had never received services at Fred Hutch because the two health care organizations work closely on cancer care and research UW Medicine leaders said at the time UW Medicine said then it didnt believe its universitybased system was breachedppOverall the agreement orders Fred Hutch to provide about 525 million which includes the 115 million in cash payments to class members as well as about 135 million in security improvements to its data network and about 255 million worth of twoyear subscriptions for medical fraud monitoring and insurance for class members Stephens saidppClass members who filed valid claims by the deadline are eligible to receive up to 599 with some possibly able to submit a claim for up to 5000 for outofpocket losses incurred as a direct result of the data breach according to court recordsppIt wont be clear how much each class member will receive on average until all claims are reviewed and validated said Jordan ppFred Hutch said last year it believed hackers exploited a vulnerability in a workspace software called Citrix that allowed them access to its networkppAround that time the weakness known as the Citrix Bleed gained attention from federal cybersecurity teams who said it allowed threat actors to bypass password requirements and mutifactor authentication measures ppFred Hutch took its clinical network offline within 72 hours of the cyberattack notified federal law enforcement and brought in a forensic security team to investigate VerHeul said in an interview shortly after the breach The cancer center also added more defensive tools increased data monitoring and let patients know they should keep an eye on their bank statements and credit reportsppFred Hutch initially said hackers accessed the data of about 1 million people but that number was revised after further investigationppA couple weeks later some patients started to receive spam emails from the alleged hackers who claimed their names Social Security numbers phone numbers medical history lab results and insurance history had been compromised Unless patients paid a fee the alleged hackers threatened to sell their information to data brokers and on black markets according to emails shared with The Seattle TimesppThe following January swatting threats began to emerge which occur when a bogus claim is made to law enforcement so that emergency response officers like SWAT teams show up at a persons home The tactic puts both victims of these threats and first responders in danger Steve Bernd a former spokesperson for the FBI in Seattle said at the timeppFred Hutch has said it believes the perpetrators were based outside the US The cancer care center is not aware of any patient data actually being sold to date VerHeul wrote in an emailppFred Hutch did not pay any ransom from alleged hackers she saidppFBI spokesperson Amy Alexander said this week the agency didnt have updates on the breach She declined to answer questions about whether there have been arrests related to the caseppHospitals and health care organizations around the state and nationwide have emerged as particularly popular targets for cybercriminals the last several years largely because they hold a huge amount of patient data from medical records to financial information Some breaches have crashed systemwide operations caused delays in patient procedures and rerouted ambulancesppIn February 2024 a massive cyberattack crippled Change Healthcare a subsidiary of UnitedHealth Group that handles health care payments and disrupted hospital operations throughout the country including in Washington state In that incident data of more than 190 million patients was exposed according to the American Hospital Association ppAt the time the AHA president called the Change cyberattack the most significant and consequential incident of its kind against the US health care system in historyppThe Washington attorney generals office last year confirmed a record high in number of data breach notifications which for the first time exceeded the states population according to an annual report In 2024 the office sent 116 million notices to Washingtonians who were affected by 279 breaches up from a previous high of 65 million notices the report said The US Census Bureau estimated the state population in 2024 as 796 millionppSince Fred Hutchs cyberattack the cancer center has committed to implementing certain security improvements including performing audits and testing exercises connecting with security consultants consolidating IT systems and limiting access to systems among other additions according to the settlement agreement These changes will be added over the next three years the agreement saysppYip also awarded class counsel about 38 million in attorneys fees and a service award of about 2500 to eight class representatives each per court recordsppClass members should expect to receive a notice in the mail in the next couple months with information about the settlement and how they can submit a claim for payment ppInformation from The Seattle Times archives was included in this article ppWhile there is no foolproof way to ensure that your information is safe there are some steps you can take to protect yourself from identity theftppCall the companies where the fraud may have occurredppppWork with one of the credit bureaus Experian TransUnion and Equifax to check your credit report for suspicious activity and to place a fraud alert or credit freeze on your credit report ppppReport the identity theft to the FTC at IdentityTheftgov ppppFile a report with your local police departmentppppSend a copy of the police report to the three major credit bureausppppAsk businesses to provide you with information about transactions made in your name A template for a letter can be downloaded from the Washington Attorney Generals website at atgwagovrecoveringidentitytheftorfraudppppIf you receive a breach notification or believe that you may be a victim of identity theft visit the Washington Attorney Generals website at httpswwwatgwagovguarditaspx for helpppppIf you receive a threatening spam email you can report it to the FBIs Internet Crime Complaint Center at ic3gov pp
ppMoreppThe opinions expressed in reader comments are those of the author only and do not reflect the opinions of The Seattle Timesp