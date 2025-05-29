Elise Takahama The Seattle Times

May 29—Fred Hutchinson Cancer Center has agreed to pay about $11.5 million to patients after a 2023 cyberattack put their personal data at risk.

Hackers targeted parts of Fred Hutch’s clinical network around Thanksgiving a year and a half ago, resulting in a wave of concern among former and current patients, some of whom were inundated with spam messages and email threats after the breach. At least nine lawsuits filed against Fred Hutch alleged the Seattle cancer care and health research center failed to provide adequate data security.

The complaints have since been consolidated into one, which King County Superior Court Judge Wyman Yip wrapped up with his final May 20 settlement order.

The agreement was negotiated “in good faith” and is “fair, reasonable, adequate and in the best interest of (class members),” Yip wrote in the order.

In a statement following the order, Fred Hutch said the cancer center remains committed to safeguarding personal data and continues to invest in strengthening its security.

“We greatly value the trust of our patients and employees, and take the security of personal information very seriously,” Fred Hutch spokesperson Christina VerHeul said in the statement.

The certified class consists of about 2.1 million people, which includes anyone whose personal information was in a database that could have been accessed or viewed by hackers, regardless of whether it was actually compromised, VerHeul wrote. That group includes patients, employees and insurance policy holders, she added.

A fraction of the eligible class — about 140,000 people — submitted claims for settlement benefits by the May 7 deadline, according to Cecily Jordan, an attorney with Tousley Brain Stephens, which represented patients. Kim Stephens, lead attorney for Tousley Brain Stephens, called the 8% claims rate “robust” and “a bit higher than most.”

The personal information of some UW Medicine patients was also involved in the cyberattack — even if they had never received services at Fred Hutch — because the two health care organizations work closely on cancer care and research, UW Medicine leaders said at the time. UW Medicine said then it didn’t believe its university-based system was breached.

Overall, the agreement orders Fred Hutch to provide about $52.5 million, which includes the $11.5 million in cash payments to class members, as well as about $13.5 million in security improvements to its data network and about $25.5 million worth of two-year subscriptions for medical fraud monitoring and insurance for class members, Stephens said.

Class members who filed valid claims by the deadline are eligible to receive up to $599, with some possibly able to submit a claim for up to $5,000 for out-of-pocket losses incurred as a direct result of the data breach, according to court records.

It won’t be clear how much each class member will receive on average until all claims are reviewed and validated, said Jordan.

Fred Hutch said last year it believed hackers “exploited a vulnerability” in a workspace software called Citrix that allowed them access to its network.

Around that time, the weakness, known as the “Citrix Bleed,” gained attention from federal cybersecurity teams, who said it allowed “threat actors” to bypass password requirements and muti-factor authentication measures.

Fred Hutch took its clinical network offline within 72 hours of the cyberattack, notified federal law enforcement and brought in a forensic security team to investigate, VerHeul said in an interview shortly after the breach. The cancer center also added more “defensive tools,” increased data monitoring and let patients know they should keep an eye on their bank statements and credit reports.

Fred Hutch initially said hackers accessed the data of about 1 million people, but that number was revised after further investigation.

A couple weeks later, some patients started to receive spam emails from the alleged hackers who claimed their names, Social Security numbers, phone numbers, medical history, lab results and insurance history had been compromised. Unless patients paid a fee, the alleged hackers threatened to sell their information to data brokers and on black markets, according to emails shared with The Seattle Times.

The following January, “swatting” threats began to emerge — which occur when a bogus claim is made to law enforcement so that emergency response officers, like SWAT teams, show up at a person’s home. The tactic puts both victims of these threats and first responders in danger, Steve Bernd, a former spokesperson for the FBI in Seattle, said at the time.

Fred Hutch has said it believes the perpetrators were based outside the U.S. The cancer care center is not aware of any patient data actually being sold to date, VerHeul wrote in an email.

Fred Hutch did not pay any ransom from alleged hackers, she said.

FBI spokesperson Amy Alexander said this week the agency didn’t have updates on the breach. She declined to answer questions about whether there have been arrests related to the case.

Hospitals and health care organizations around the state and nationwide have emerged as particularly popular targets for cybercriminals the last several years, largely because they hold a huge amount of patient data, from medical records to financial information. Some breaches have crashed systemwide operations, caused delays in patient procedures and rerouted ambulances.

In February 2024, a massive cyberattack crippled Change Healthcare, a subsidiary of UnitedHealth Group that handles health care payments, and disrupted hospital operations throughout the country, including in Washington state. In that incident, data of more than 190 million patients was exposed, according to the American Hospital Association.

At the time, the AHA president called the Change cyberattack “the most significant and consequential incident of its kind against the U.S. health care system in history.”

The Washington attorney general’s office last year confirmed a record high in number of data breach notifications, which for the first time exceeded the state’s population, according to an annual report. In 2024, the office sent 11.6 million notices to Washingtonians who were affected by 279 breaches — up from a previous high of 6.5 million notices, the report said. (The U.S. Census Bureau estimated the state population in 2024 as 7.96 million.)

Since Fred Hutch’s cyberattack, the cancer center has committed to implementing certain security improvements, including performing audits and testing exercises; connecting with security consultants; consolidating IT systems; and limiting access to systems, among other additions, according to the settlement agreement. These changes will be added over the next three years, the agreement says.

Yip also awarded class counsel about $3.8 million in attorneys’ fees, and a service award of about $2,500 to eight class representatives each, per court records.

Class members should expect to receive a notice in the mail in the next couple months, with information about the settlement and how they can submit a claim for payment.

Information from The Seattle Times archives was included in this article.