Fred Hutchinson Cancer Research Center agrees to dish out $11.5 million in settlement for a data breach lawsuit

Fred Hutchinson Cancer Research Center agrees to dish out $11.5 million in settlement for a data breach lawsuit

Fred Hutchinson Cancer Center has agreed to pay $11.5 million to victims of a 2023 data breach, which exposed the personal information of nearly 2.1 million individuals. The breach, which targeted parts of Fred Hutch's clinical network around Thanksgiving a year and a half ago, led to a wave of concern among former and current patients, some of whom were flooded with spam messages and email threats after the cyberattack.

At least nine lawsuits were filed against Fred Hutch, alleging the Seattle cancer care and health research center failed to provide adequate data security. These complaints have since been consolidated into one class action lawsuit, which was finalized with a settlement order by King County Superior Court Judge Wyman Yip in May 2022.

In the settlement order, Judge Yip stated that the agreement was negotiated "in good faith" and is "fair, reasonable, adequate and in the best interest of class members." Fred Hutch said in a statement that it remains committed to safeguarding personal data and continues to invest in strengthening its security.

The certified class consists of anyone whose personal information was in a database that could have been accessed or viewed by hackers, whether or not it was actually compromised. This group includes patients, employees, and insurance policyholders. Of the eligible class, about 140,000 people submitted claims for settlement benefits by the May 7 deadline.

Class members who filed valid claims by the deadline are eligible to receive up to $599, with some possibly able to submit a claim for up to $5,000 for out-of-pocket losses incurred as a direct result of the data breach, according to court records. It won't be clear how much each class member will receive on average until all claims are reviewed and validated.

Fred Hutch said last year that hackers exploited a vulnerability in a workspace software called Citrix, allowing them access to its network. The weakness, known as the "Citrix Bleed," gained attention from federal cybersecurity teams, who said it allowed "threat actors" to bypass password requirements and multi-factor authentication measures. The personal information of some UW Medicine patients was also involved in the cyberattack, even if they had never received services at Fred Hutch.

Overall, the agreement orders Fred Hutch to provide about $52.5 million, which includes the $11.5 million in cash payments to class members, as well as about $13.5 million in security improvements to its data network and about $25.5 million worth of two-year subscriptions for medical fraud monitoring and insurance for class members. Class members should expect to receive a notice in the mail in the next couple of months, with information about the settlement and how they can submit a claim for payment.

Hospitals and health care organizations across the state and nationwide have been popular targets for cybercriminals over the past few years, largely because they hold a vast amount of patient data. Some breaches have caused delays in patient procedures, rerouted ambulances, and crashed systemwide operations. In February 2024, a massive cyberattack crippled Change Healthcare, a subsidiary of UnitedHealth Group that handles health care payments, and disrupted hospital operations throughout the country, including in Washington state. The data of over 190 million patients was exposed in that incident, according to the American Hospital Association. At the time, the AHA president called the Change cyberattack "the most significant and consequential incident of its kind against the U.S. health care system in history."

The Washington attorney general's office confirmed a record high in number of data breach notifications in 2024, which for the first time exceeded the state's population, according to an annual report. In the wake of the Fred Hutch cyberattack, the cancer center has committed to implementing certain security improvements, including performing audits and testing exercises, connecting with security consultants, consolidating IT systems, and limiting access to systems, among other additions. These changes will be added over the next three years, according to the settlement agreement.

What to do: While there is no foolproof way to ensure that your information is safe, there are some steps you can take to protect yourself from identity theft. Call the companies where the fraud may have occurred, work with one of the credit bureaus to check your credit report for suspicious activity and to place a fraud alert or credit freeze on your credit report, report the identity theft to the FTC at IdentityTheft.gov, file a report with your local police department, send a copy of the police report to the three major credit bureaus, ask businesses to provide you with information about transactions made in your name, and visit the Washington Attorney General's website for help if you receive a breach notification or believe you are a victim of identity theft. If you receive a threatening spam email, you can report it to the FBI's Internet Crime Complaint Center at ic3.gov.

1. The data breach at Fred Hutchinson Cancer Center exposed the personal information of nearly 2.1 million individuals, leading to a wave of concern and flooding some with spam messages and email threats.
2. At least nine lawsuits were filed against Fred Hutch, alleging the center's failure to provide adequate data security, which have since been consolidated into one class action lawsuit.
3. The settlement order, negotiated in good faith by King County Superior Court Judge Wyman Yip, requires Fred Hutch to provide about $52.5 million, including cash payments to class members and security improvements to its data network.
4. Hospitals and health care organizations, like Fred Hutch, have been popular targets for cybercriminals, causing delays in patient procedures, rerouting ambulances, and crashing systemwide operations.
5. In the wake of the Fred Hutch cyberattack, the center has committed to implementing certain security improvements, such as audits and testing exercises, connecting with security consultants, consolidating IT systems, and limiting access to systems.
6. To protect yourself from identity theft, consider calling the companies where fraud may have occurred, checking your credit report for suspicious activity, reporting the identity theft to the FTC, filing a report with your local police department, sending a copy of the police report to the credit bureaus, asking businesses to provide information about transactions made in your name, and visiting the Washington Attorney General's website for help if you receive a breach notification or believe you are a victim of identity theft.

Read also: