Just when we thought that healthcare cybersecurity news had reached a peak level of horror – now cybercriminals are extorting money directly from cancer patients. Hackers have made money demands directly to patients, and in some cases, patients have been threatened with “swatting,” a fake 911 call that triggers a law enforcement response.

This started in November 2023 when Seattle-based Fred Hutchinson Cancer Center was hit with a cyberattack affecting about 1 million individuals. The Cancer Center is an independent nonprofit that also provides cancer program services for the University of Washington School of Medicine. According to its notice to patients, the Cancer Center detected “unauthorized activities” on its network on November 19, 2023.

The organization immediately took steps to contain the activity, notified federal law enforcement, and retained a third-party forensic security firm to investigate. The investigation revealed that the attackers had obtained patient information from the Cancer Center systems between November 19 and November 25.

Lawsuits Filed by Affected Patients

Nearly a dozen lawsuits have been filed against Fred Hutchinson Cancer Center as of January 10, according to HealthcareInfoSecurity. The suits allege claims of negligence and other missteps by Fred Hutchison in failing to protect plaintiffs’ and class members’ sensitive information. HealtcareInfoSecurity also notes that some of the lawsuits also allege that plaintiffs have experienced a spike in spam emails and phone calls despite being on the “do not call” list.

According to one class action lawsuit against the Cancer Center, the hackers have demanded that at least 300 patients pay $50 to delete their information and prevent it from being sold on the dark web. In a few cases, the hackers threatened to make fake 911 calls about emergencies at the patient’s home or location if they refused to pay.

Follow the HIPAA Security Rule to Protect Patient Data

As we’ve reported recently, the healthcare sector is experiencing historic levels of cyber threats, with hackers becoming more aggressive in seeking more significant troves of patient data.

The attack on individual patients is rare and alarming if it is a sign of things to come.

The best defense against cybercrime is robust HIPAA compliance. Stay ahead of the hackers. Follow the Security Rule, do a Risk Analysis, and train the workforce in cybersecurity awareness.

Free HIPAA Checklist
What best describes you?