Patients at Fred Hutchinson Cancer Center are receiving extortion emails following a reported data breach that occurred late last month.
WHY IT MATTERS
Nick Quinlan, a Fred Hutch patient, was asked to pay 50 bitcoin to prevent his data from being leaked, according to the newspaper. NBC15 Seattle report.
“They had the opportunity to protect your data, but they refused to make a deal,” the attackers said, according to a screenshot of an email Quinlan received on December 6.
The email claims that names, social security numbers, addresses, phone numbers, medical histories, laboratory results and insurance histories of 800,000 Fred Hutch patients were compromised.
“We cannot speculate on the total number of individuals who may have been affected,” Fred Hutch said, according to the report, noting that the organization will contact affected patients within 60 days.
The email included a redacted sample of Quinlan's protected data as evidence.
He reportedly did not pay the ₿50, which is valued at just over $2 million based on the average Bitcoin price of around $40,000.
Fred Hutch continues to review the data involved when its clinical network was breached on Nov. 19 and is working to complete the investigation as quickly as possible, said Christina VerHeul, the organization's vice president of communications.
“We are aware that some of our patients have received threatening spam emails. We are sorry that they are receiving these messages,” she said. Healthcare IT news by email. She could not report how many patients were known to have received extortion emails like Quinlan's.
“Unfortunately, this is a common tactic that cybercriminals use, and we have alerted local and federal law enforcement to these messages,” VerHeul said.
THE BIG TREND
Direct extortion of patients is not new: Once cybercriminals cannot get a ransom from their healthcare organization targets, they turn to directly contacting patients with threats to publish their data, photos or even genetic information.
The data extortion group Karakurt said on its website in July that it had stolen data on medical staff and patients from the McAlester Regional Health Center in Oklahoma.
In August, Cl0p published a 40GB set of public health data on the dark web that allegedly belonged to CareSource, an Ohio-based nonprofit that provides public health care programs.
Patients are increasingly suing healthcare organizations due to data breaches in violation of HIPAA privacy protection laws.
ON THE RECORD
“I can't imagine anyone with serious health problems considering how an insurer or future employer could gain access to that information,” Quinlan said in the report.
“We encourage patients, if they receive a message demanding a ransom, not to pay it,” VerHeul said. “Report these messages to the FBI's Internet Crime Complaint Center at IC3.gov. Then block the sender and delete the message.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.