SEATTLE — Seattle's Fred Hutchinson Cancer Center is warning patients of threatening spam emails after a cyberattack gained access to its system last month.
On Dec. 1, Fred Hutch announced the detection of "unauthorized activity" on Nov. 19. It said the breach was contained to limited parts of the center's clinical network.
As of this week, some patients of Fred Hutch and UW Medicine have started receiving emails from cybercriminals threatening to release sensitive information to the dark web if they do not pay money.
“Yesterday I got an email saying that 800,000 patient records had been leaked and mine was among them. If I didn't pay $50, they would start selling them on the dark web," said Nick Quinlan, a UW Medicine patient.
UW Medicine told KING 5 that due to their work with Fred Hutch, some patients who have never been seen at Fred Hutch may have also had information leaked.
They sent this statement:
"Fred Hutch serves as UW Medicine’s cancer program and we advance cancer research together through the Fred Hutch/University of Washington/Seattle Children’s Cancer Consortium. As a result of our work with Fred Hutch, the cybersecurity incident experienced on Fred Hutch systems impacted data for some UW Medicine patients who have not been seen at Fred Hutch. A forensic team is continuing to assess the situation and Fred Hutch will directly contact any individuals whose information was involved. Patient care is not interrupted; Fred Hutch, UW Medical Center, Harborview Medical Center and UW Medicine Primary Care clinics are open and serving patients."
Quinlan said at the time he had not received any warning of a breach from UW Medicine and that it was disappointing.
"I think that data security best practice is that when there is a data breach that you know about, you do a disclosure, and so far there's not been a disclosure like that," said Quinlan.
Later in the day on Dec. 7, some UW patients did start to receive notices of possible data leak impacts connected to the Fred Hutch cyberattack.
Quinlan said he was worried about his personal and medical information possibly being part of the breach and how it could be used.
“You just never know once the data is out there what's going to happen with it and what it's going to be used to do,” said Quinlan.
Fred Hutch said all of its clinics remain open and continue to serve patients. It said it is still working to identify the types of data that were accessed and they do not yet know how many people may have been impacted or how many people may have received the threatening emails.
"We are working on investigating that, that investigation is ongoing," said Christina Verheul, the Associate VP of Communications for Fred Hutch. "Once we know more, we will be communicating more."
Fred Hutch said federal and local authorities are investigating the breach.
"Fred Hutch is committed to the safety, wellbeing, and safeguarding of patient and employee information and is continuously updating and enhancing systems to prevent external parties from accessing information. We have implemented additional defensive tools and increased monitoring to further protect data," the center said in a statement.
As a precaution, Fred Hutch is recommending its patients remain vigilant to protect against potential fraud or identity theft.
Fred Hutch has set up a section on its website to help patients who have reported receiving threatening spam emails. There is also a dedicated call center for patients with further questions, which can be reached at 888-983-0612.
As of Thursday morning, Fred Hutch said around 300 people had called their call center with concerns and questions, including people who had received the emails from the cybercriminals.
"We are sorry you’re receiving these messages. Unfortunately, this is a common tactic threat actors use, and we have notified local and federal law enforcement of these messages. If the message demands a ransom, DO NOT PAY IT. Please report these messages to the FBI’s Internet Crime Complaint Center at ic3.gov. Then block the sender and delete the message. In addition, you may consider reporting the message as spam through your email," Fred Hutch's website reads.
Fred Hutch said it is working with federal law enforcement and a leading forensic security firm to investigate the incident.