SEATTLE — As if battling cancer isn’t hard enough, now patients at UW’s Fred Hutchinson Cancer Center are being extorted.
Last month, the Cancer Center experienced a data breach, exposing data for an unknown number of patients.
Some of those patients are getting emails threatening to leak their personal information if they don’t pay up.
Nicholas Quinlan got one of those emails at 6:30 am Wednesday. He said he didn’t even know about the Nov. 19th data breach before then.
“To me, it felt like a real good sales tactic like here’s all your information do you want to pay to get it offline,” said Quinlan.
That email, which is attached below in its entirety said in the subject line, “[FREDHUTCH] QUINLAN NICHOLAS Your private data and medical history is being sold on dark net markets.”
It also says Quinlan is one of 800,000 patients whose “names, SSN, addresses, phone numbers, medical history, lab results, and insurance history,” is compromised.
“The email had information that looked pretty real. it had my address it had my patient record number; it had my insurer on it. I felt like it was pretty likely that data had been lost or was online publicly,” said Quinlan.
The email references the November data breach. It also says “We have been in contact with Fred Hutchinson Cancer Center. They had the chance to protect your data, but they refused to make a deal.” That email also tells recipients, it’ll only cost $50 to get that info scrubbed from the dark web.”
“I definitely went back and forth on it, you know $50 for my social security number not being out there that sounds ok,” said Quinlan. He added, “There’s no honor amongst thieves so I didn’t feel I could trust that $50 would go on to remove my information.”
Fred Hutch Cancer Center says they’re working to find out how many patients had their information leaked; but know that email has gone to others.
The Cancer Center has been telling patients:
We are sorry you’re receiving these messages. Unfortunately, this is a common tactic threat actors use, and we have notified local and federal law enforcement of these messages. If the message demands a ransom, DO NOT PAY IT. Please report these messages to the FBI’s Internet Crime Complaint Center at ic3.gov. Then block the sender and delete the message. In addition, you may consider reporting the message as spam through your email.
Quinlan says he hasn’t gotten that email. He also says he’s never set foot in the Cancer Center, but he is a patient with UW Medicine.
“If you look where the domain is from, that’s a Brazilian domain, and who knows if the hackers are there or if they hacked that website that’s sending emails,” said Quinlan.
Seattle Cancer Care Alliance and Fred Hutch Cancer Research Center merged in 2022 to form Fred Hutch Cancer Center. Fred Hutch is an independent organization that also serves as UW Medicine’s cancer program.
Again, to report getting that extortion email, Fred Hutch encourages victims to make a report at https://www.ic3.gov/
The University of Washington provided the following statement to KIRO 7 News:
Fred Hutchinson Cancer Center recently experienced a cybersecurity incident. We are close partners with Fred Hutch Cancer Center; Fred Hutch serves as UW Medicine’s cancer program and we advance cancer research together through the Fred Hutch/University of Washington/Seattle Children’s Cancer Consortium.
As a result of our work with Fred Hutch, the cybersecurity incident experienced on Fred Hutch systems impacted data for some UW Medicine patients who have not been seen at Fred Hutch.
At this time, we don’t believe our University-based system has been compromised. A forensic team is continuing to assess the situation and Fred Hutch will directly contact any individuals whose information was involved.
Patient care is not interrupted; Fred Hutch, UW Medical Center, Harborview Medical Center and UW Medicine Primary Care clinics are open and serving patients.
Fred Hutch has established a dedicated call center to support patients: 888-983-0612, available Monday through Friday between 6 a.m. – 6 p.m. PT and Saturday and Sunday between 6 a.m. – 2 p.m. PT. You can also find information specific to this incident at fredhutch.org/data-security.