Hundreds of patients receive threatening emails after Fred Hutch cyberattack

Hundreds of people who have been patients at Seattle’s Fred Hutchinson Cancer Center have received threatening emails following a cyberattack on the institution’s networks in November.

The cancer center said it detected unauthorized activity on its clinical network on Nov. 19, 2023.

The cybersecurity incident specifically involved Fred Hutch systems, but those systems also house some University of Washington Medicine patient data.

According to a statement from Fred Hutch, the impacted servers have been quarantined, the clinical network was taken offline as a protective measure, and an investigation is ongoing to identify the extent of the breach.

A spokesperson said via email that Fred Hutch has received approximately 300 calls from patients who have received similar emails.

The emails claim information for 800,000 patients has been compromised — including names, social security numbers, medical and insurance information, lab results and more — and demands payment to prevent the sale of that data.

Fred Hutch was not able to confirm what information has been compromised or speculate about how many people may be affected.

“If you are reading this, your data has been stolen and will soon be sold to various data brokers and black markets to be used in fraud and other criminal activities,” the ransom emails say.

The threatening emails also provide a sample of the personal data exposed for the individual being contacted.

Nick Quinlan, a UW Medicine patient, said his name, address, and patient record number were provided in the message he received.

He was directed to pay $50 in bitcoin to prevent the information being sold.

"I was disappointed to think that my patient records were online, conflicted on whether I wanted to look into it, pay money to get the records offline, if that would even do anything," Quinlan said.

He has since decided not to send any money.

“We are sorry our patients are receiving these messages,” Christina VerHeul, associate vice president for communications at Fred Hutchinson Cancer Center, said in a statement. “Unfortunately, this is a common tactic threat actors use, and we have notified local and federal law enforcement of these messages. If the message demands a ransom, we are telling patients DO NOT PAY IT.”

The cancer center is asking patients who receive threatening emails to report them to the FBI’s Internet Crime Complaint Center.

Cancer center officials advise patients to delete the message, block the sender, and consider reporting the message as spam through their email server.

Additionally, patients are advised to review account statements and monitor credit reports closely to protect against fraud or identity theft.

“If individuals detect any suspicious activity on an account, they should promptly notify the financial institution or company that maintains the account. They should also promptly report any fraudulent activity or any suspected incidents of identity theft to appropriate law enforcement authorities, including the police, as well as the Federal Trade Commission,” the statement said.

Based on the information available, VerHeul said the group responsible for the hack appears to be outside the U.S.

Fred Hutch has notified federal law enforcement and is working with a forensic security firm to investigate the incident.

VerHeul was not able to give information about when the investigation would be complete, but said the institution is working to complete it soon as possible.

She said anyone whose information was involved will be contacted directly.

KUOW reporter Paige Browning contributed reporting for this story.