Notice to Our Patients of Data Security Incident
Fred Hutchinson Cancer Center is committed to protecting the privacy and security of patient information. This notice concerns a recent data security incident that involved some of that information.
What Happened?
On November 19, 2023, we detected unauthorized activity on limited parts of our clinical network. We immediately took steps to contain the activity, notify federal law enforcement and began an investigation with the assistance of a third-party forensic security firm. The investigation determined that an unauthorized third party accessed the clinical network and obtained patient information from Fred Hutch systems between November 19 and November 25, 2023.
What Information Was Involved?
The information involved varies by individual, but may include name, address, phone number, email address, date of birth, Social Security number, health insurance information, medical record number, patient account number, date(s) of service and/or certain clinical information such as treatment/diagnosis information, lab results, or provider name. Fred Hutch’s electronic medical record system was not involved or accessed, and all Fred Hutch clinics have remained open and actively serving patients throughout this incident.
What is Fred Hutch Doing?
Fred Hutch greatly values patient trust and is committed to safeguarding personal information. We are continuously updating and enhancing systems to protect personal information and have implemented additional defensive tools and increased monitoring to help prevent events like this from occurring in the future.
On December 20, 2023, Fred Hutch began mailing letters to patients whose information was involved, and is offering patients whose Social Security number may have been involved complimentary credit monitoring and identity protection services. Patients are also encouraged to review statements from their health insurer and to contact their insurance company immediately if anything is inaccurate.
What Can Patients Do?
Fred Hutch recommends patients remain vigilant to protect against potential fraud and/or identity theft by reviewing account statements, monitoring credit reports, and notifying financial institutions of any potential suspicious activity. Patients may also wish to review the tips provided by the Federal Trade Commission (or FTC) on fraud alerts, security/credit freezes and steps that they can take to avoid identity theft.
For more information about identity protection and to contact the FTC, please visit https://www.identitytheft.gov/#/ or call 1-877-ID-THEFT (1-877-438-4338). You may also contact the FTC at Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
For More Information.
If patients have questions, they are encouraged to call Fred Hutch’s dedicated call center at 1-888-983-0612, Monday through Friday, between 6 a.m. and 6 p.m. Pacific Standard Time.
Additional frequently asked questions are below. You can also view the press release.
Frequently Asked Questions
Based on the information available, the criminal group responsible is outside the United States. Fred Hutch notified federal law enforcement and is providing information to support their investigation.
Unfortunately, all organizations face cybersecurity risks and multiple healthcare institutions have been targeted by these kinds of attacks in the past. In this instance, hackers exploited a vulnerability in a software called Citrix that allowed them to gain access to our network, similar to what they’ve done in hospitals across the country. Fred Hutch has experienced technology professionals and security tools in place that detected the unauthorized activity, fixed the vulnerability and effectively prevented additional issues. We are continuously updating and enhancing systems to prevent external parties from accessing information and have implemented additional defensive tools and increased monitoring to help prevent events like this from occurring in the future.
Our analysis is ongoing, but we estimate approximately 1 million individuals may be affected. Fred Hutch has started to mail notification letters to these individuals.
The cybersecurity incident involved Fred Hutch systems that also contained some data for patients who received care at UW Medical Center, Harborview Medical Center or UW Medicine Primary Care clinics. At this time, there is no evidence that the UW-based system was impacted.
Fred Hutch serves as UW Medicine’s cancer program. As a result of our relationship, we share health care information when necessary for payment and certain joint health care operations, including quality assessment and improvement activities, training, accreditation, business planning and development, and general administrative activities. Further, UW Medicine clinicians provide care to patients at Fred Hutch and some services are provided across multiple locations, the patient data necessary to provide this care is shared across systems. The cybersecurity incident specifically involved Fred Hutch systems, but those systems also had some data for patients who received care at UW Medical Center, Harborview Medical Center and UW Medicine Primary Care clinics.
Fred Hutch also provides laboratory services to many healthcare institutions. So, it is possible that Fred Hutch has your data because we performed laboratory services for your provider.
A forensic team is continuing to assess the situation and Fred Hutch will directly contact individuals whose information was involved.
At this time, there is no evidence that the Epic system was impacted.
The Fred Hutch research network was not accessed. Our investigation is ongoing, but at this time we do not have reason to believe that study or sponsor data was involved.
No, patients can still access MyChart.
We are sorry you’re receiving these messages. Unfortunately, this is a common tactic threat actors use, and we have notified local and federal law enforcement of these messages. If the message demands a ransom, DO NOT PAY IT. Please report these messages to the FBI’s Internet Crime Complaint Center at ic3.gov. Then block the sender and delete the message. In addition, you may consider reporting the message as spam through your email.