Fred Hutchinson Cancer Center patients receive extortion emails

“Your data has been stolen and will soon be sold to various data brokers and black markets to be used in fraud and other criminals,” the alleged attackers say in an email sent directly to one patient.

Fred Hutchinson Cancer Center patients are receiving extortion emails stemming from a reported data breach that occurred late last month.

Why it matters
Nick Quinlan, a Fred Hutch patient, was asked to pay 50 bitcoin to prevent his data from being leaked, according to the NBC15 Seattle report.

“They had the chance to protect your data, but they refused to make a deal,” the attackers said, according to a screenshot of an email Quinlan received on December 6.

The email claims that names, social security numbers, addresses, phone numbers, medical history, lab results and insurance histories of 800,000 Fred Hutch patients have been compromised.

“We cannot speculate about the total number of individuals who may have been impacted,” Fred Hutch said according to the report, noting that the organization will be contacting affected patients within 60 days.

The email included a redacted sample of Quinlan’s protected data as proof.

He reportedly did not pay the ₿50, which is valued at just over $2 million, based on the average Bitcoin price of about $40,000.

Fred Hutch is continuing to assess the data involved when its clinical network was breached on November 19 and is working to complete the investigation as quickly as possible, according to Christina VerHeul, the organization’s associate vice president of communications.

“We are aware that some of our patients have received threatening spam emails. We are sorry they are receiving these messages,” she told Healthcare IT News by email. She was not able to report how many patients were known to have received extortion emails like Quinlan’s.

“Unfortunately, this is a common tactic that cybercriminals use, and we have notified local and federal law enforcement of these messages,” VerHeul said.

The larger trend
Direct patient extortion is not new – once cybercriminals do not get their ransom from their healthcare organization targets, they move on to contacting patients directly with threats to publish their data, pictures or even genetic information.

The Karakurt data extortion group said on its website in July that it had stolen data on medical staff, as well as patients from McAlester Regional Health Center in Oklahoma.

In August, Cl0p exposed a 40-GB set of public health data on the dark web that allegedly belonged to CareSource, an Ohio-based nonprofit organization providing public healthcare programs.

Patients are increasingly suing healthcare organizations over data breaches under violations of HIPAA privacy protection laws.

On the record
“I can’t imagine somebody who has serious health issues thinking about how an insurer or future employer might be able to access that information,” Quinlan said in the report.

“We are encouraging patients that if they receive a message that demands a ransom, do not pay it,” VerHeul said. “Report these messages to the FBI’s Internet Crime Complaint Center at IC3.gov. Then block the sender and delete the message.” Healthcare IT News