Cancer patients face blackmail threats after Fred Hutch data breach
Dec 8, 2023, 6:38 AM
(Image courtesy of KIRO 7)
SEATTLE — As if battling cancer isn’t hard enough, now patients at UW’s Fred Hutchinson Cancer Center are being extorted.
Last month, the Cancer Center experienced a data breach, exposing data for an unknown number of patients.
Some of those patients are getting emails threatening to leak their personal information if they don’t pay up.
Nicholas Quinlan got one of those emails at 6:30 am Wednesday. He said he didn’t even know about the Nov. 19th data breach before then.
“To me, it felt like a real good sales tactic like here’s all your information do you want to pay to get it offline,” said Quinlan.
That email, which is attached below in its entirety said in the subject line, “[FREDHUTCH] QUINLAN NICHOLAS Your private data and medical history is being sold on dark net markets.”
It also says Quinlan is one of 800,000 patients whose “names, SSN, addresses, phone numbers, medical history, lab results, and insurance history,” is compromised.
“The email had information that looked pretty real. it had my address it had my patient record number; it had my insurer on it. I felt like it was pretty likely that data had been lost or was online publicly,” said Quinlan.
The email references the November data breach. It also says “We have been in contact with Fred Hutchinson Cancer Center. They had the chance to protect your data, but they refused to make a deal.” That email also tells recipients, it’ll only cost $50 to get that info scrubbed from the dark web.”
“I definitely went back and forth on it, you know $50 for my social security number not being out there that sounds ok,” said Quinlan. He added, “There’s no honor amongst thieves so I didn’t feel I could trust that $50 would go on to remove my information.”
Fred Hutch Cancer Center says they’re working to find out how many patients had their information leaked; but know that email has gone to others.
The Cancer Center has been telling patients:
We are sorry you’re receiving these messages. Unfortunately, this is a common tactic threat actors use, and we have notified local and federal law enforcement of these messages. If the message demands a ransom, DO NOT PAY IT. Please report these messages to the FBI’s Internet Crime Complaint Center at ic3.gov. Then block the sender and delete the message. In addition, you may consider reporting the message as spam through your email.
Quinlan says he hasn’t gotten that email. He also says he’s never set foot in the Cancer Center, but he is a patient with UW Medicine.
“If you look where the domain is from, that’s a Brazilian domain, and who knows if the hackers are there or if they hacked that website that’s sending emails,” said Quinlan.
Fred Hutch and UW Medicine merged back in 2021, so the Cancer Center is under the umbrella of UW Medicine.
Again, to report getting that extortion email, Fred Hutch encourages victims to make a report at https://www.ic3.gov/