When hospital ransomware attacks target patients: A new trend to follow

When Fred Hutchinson Cancer Center in Seattle was impacted by a security breach last November, it seemingly did everything right. Center officials announced that they “immediately took steps to contain the activity, notify federal law enforcement and began an investigation with the assistance of a third-party forensic security firm.” During the incident, an unauthorized third party, thought to be outside the U.S., accessed their clinical network and obtained patient information such as addresses, phone numbers, health insurance information and Social Security numbers for up to an estimated 1 million people.

But when the alleged hackers didn’t get the ransom they demanded from the medical center, they took things a step further — contacting patients directly. 

It’s part of a newer trend called “double ransomware,” said Chris Callahan, chief of cybersecurity for the Cybersecurity and Infrastructure Agency (CISA)’s Region 10 (covering Alaska, Idaho, Oregon and Washington), in an interview with AHCJ. CISA is a federal agency that helps protect the country from cyberattacks and other threats. 

Journalists covering hospitals and health IT should be aware of and report on this phenomenon to alert and help protect their audience members — and themselves.

Hackers try to extort Fred Hutch patients

In early December, hackers began sending emails to some former and current patients of the center and its partner, the University of Washington (UW) Medicine. The hackers claimed the names, Social Security numbers, phone numbers, medical history, lab results and insurance history of more than 800,000 patients had been compromised, according to a Seattle Times article. 

“If you are reading this, your data has been stolen and will soon be sold to various data brokers and black markets to be used in fraud and other criminal activities,” said the emails (shared with the Seattle Times), noting that the medical center “refused to make a deal.” The emails listed these patients’ addresses, phone numbers and medical record numbers, along with a link where the data supposedly was on sale, and instructions how to pay $50 in bitcoin to take it down, the Times reported.

Cancer center officials urged patients not to send money but instead to report the notes to the FBI’s internet crime complaint center at www.ic3.gov, then delete the message and block the sender. They also issued a press release and contacted individuals whose information was involved, offering complimentary credit monitoring and identity protection services, in addition to establishing a dedicated call center and website. 

Things escalated again earlier this month, when some patients received “swatting” threats in addition to the earlier emails, the Seattle Times reported. These are warnings indicating that unless the hackers received payment, they would make bogus claims about the patient to law enforcement — like there are hostages about to be executed or bombs about to go off at their homes — so that emergency response officers like SWAT teams would show up, the Times said. 

Meanwhile, at least seven class-action lawsuits were filed against the cancer center as a result of the breach and resulting emails, according to the Seattle Times. One complaint said the center “owed a duty” to two plaintiffs to provide “reasonable and adequate security measures to secure, protect and safeguard” their information, the article said. These individuals said they heard from the hackers before receiving notification about the breach from the cancer center. 

More about double ransomware: Avoiding shaming and staying safe

In double ransomware, hackers launch a ransomware attack against a hospital “and then exfiltrate, or move, a bunch of data off-site that a lot of times will have patient information,” said Callahan, who could not comment on the specifics of the Fred Hutchinson case. “Then, if the organization doesn’t pay, they’ll go after specific patients and basically do an attack on them to try to collect $300, $400, $500. This is a new method that’s coming out. We’re seeing it a lot. And it’s being used to try to just scrape money for these organized crime units moving forward.”

In a situation like Fred Hutchinson’s, he said, hackers could easily use generative artificial intelligence to create a script for emails to patients: “If they fish 800,000 records and everybody pays $50, then that’s a good day for them. I think this is the evolution of the next type of attack we’re going to see.”

Frequently, people who fall victim to these schemes and pay the ransom feel ashamed and don’t want to talk about it, Callahan added. “Something we need to really focus on in this industry is getting away from the shaming of victims and organizations, because the more we talk about it, the more people are educated and the more they can defend themselves against these types of attacks,” he said.

Legislation signed by President Biden in March 2022 called the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires all critical infrastructure entities to report cybersecurity incidents or ransomware attacks to CISA within 72 hours and also report within 24 hours if they have made a ransomware payment. Organizations can share information to report@cisa.gov or by calling (888) 282-0870. It is not yet mandatory until the legislation’s final rule is issued but institutions are encouraged to do this now.  

There are several steps that patients can take to protect themselves, Callahan said: 

• Use strong passwords or employ a password manager. 
• Use multifactor authentication, a process used by banks and other industries that require more than just your username and password to access information. This means you input your username and password, then have to also enter a six-digit code provided in a mobile app on your phone. 
• Never open attachments or click on links embedded in suspicious emails or texts. 
• Install all updates to your software and programs.
• Monitor your credit to look for any suspicious activity. 
• If you get a call that sounds suspicious, hang up and call the person back “because it’s probably not who you think it is,” Callahan said.
• Do not pay ransomware or send gift cards or other forms of payment requested by hackers.

CISA also offers free cybersecurity services to businesses in which they will conduct a cyber hygiene scan of all internet-facing devices, or run mock ransomware situations to help businesses prepare. 

Over the past decade, more than 489 million patient records have been compromised, according to a 2024 report from Fortified Health Security, a healthcare cybersecurity provider. With the average recovery cost exceeding $9.48 million per breach, the report said, health care data breaches are the most costly among all industries. The volume of health care breaches declined slightly from 721 in 2022 to 655 in 2023, however the number of patient records exposed rose to more than 116 million, a 108% increase from the previous year. 

Expert sources

• You can request an interview with a CISA expert by emailing CISAMedia@cisa.dhs.gov. 
• John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, can be reached through the AHA press office at media@aha.org.

Resources

• Fred Hutch patients receiving email threats following cyberattack – a Seattle Times article
• Email threats to patients escalate after Fred Hutch cyberattack – a Seattle Times article 
• Barrage of Lawsuits Against Fred Hutch Arrives After Recent Data Leak – a Seattle Times article reposted on Emery Reddy.com
• Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) Fact Sheet 
• Fact sheet from CISA on what type of information to report
• Secure Our World – a fact sheet from CISA on how to protect yourself, your family and your business from online threats