Share this article on:
Patients of the Fred Hutchinson Cancer Research Center in the US are facing a new struggle following a recent ransomware attack.
There are few harder things for an individual to go through than a cancer diagnosis. It can upset every aspect of someone’s life, causing untold anxiety.
What can make such a diagnosis even worse is if the treatment centre you’re going to suffers a data breach, leading to reams of personal and clinical information being released wholesale onto the internet.
But for victims of a recent ransomware attack on a US cancer research centre, things have gotten even worse still, with hackers now contacting victims directly and extorting them individually.
The details of the extortion efforts were revealed in a class action filing on behalf of the patients of the Fred Hutchinson Cancer Center in Seattle. The centre fell victim to a ransomware attack in November 2023, which led to the personal details of roughly 1 million people being exposed.
The gang behind the initial hack was Hunters International, which is believed to be a rebranded iteration of the Hive ransomware operation based on some code similarities. Hunters, however, deny this.
Hunters International published more than 530 gigabytes of data from Fred Hutchinson’s servers on 15 December, comprising more than 711,000 individual files.
While there is no evidence that it is Hunters that is currently targeting the cancer patients themselves, someone certainly is. According to the class action, at least 300 people have received emails demanding US$50 to have their data “scrubbed from the dark web”, and many more are reporting receiving spam and other threatening messages.
“We are sorry you’re receiving these messages,” Fred Hutchinson said in its FAQ on the incident. “Unfortunately, this is a common tactic threat actors use, and we have notified local and federal law enforcement of these messages. If the message demands a ransom, DO NOT PAY IT.”
While Fred Hutchinson said it is doing everything it can to mitigate the incident, the lawyers behind the class action said that it is not enough.
“The exposure of one’s PII/PHI [personal identifying information/personal health information] to cyber criminals is a bell that cannot be unrung,” the class action read.
“Before this data breach, current and former patients’ private information was exactly that – private. Not anymore. Now, their private information is forever exposed and unsecure.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.