Lawsuit accuses Fred Hutch, UW Medical Center and more of failing to protect data amid breach

SEATTLE — There's great danger any time a cybercriminal gets a hold of personal information. This time, a data breach at the Fred Hutchinson Cancer Center was followed by ransom notes to Hutch patients and even those who have never been a patient there.

For example, Jack Doe, the Bainbridge Island child at the center of a new class action lawsuit.

That class action lawsuit accuses the Fred Hutchinson Cancer Center, University of Washington School of Medicine, UW Medical Center, and others of failing to protect sensitive data of its patients.

The suit stems from more than just a data breach of personal data and private medical records. The suit — filed by Turke & Strauss LLP, based in Madison, Wis. — accused the defendants of failing to provide security to stop “a flood of extortionary threats by cybercriminals to defendants’ current and former patients.”

RELATED |Fred Hutch confirms data breach, cyber criminals threatening patients

At 2 weeks of age, the suit says Jack had a follow up appointment at the UW Medicine Northgate Clinic.

Jack was never a patient at Fred Hutch, but Susan Gregg with UW Medicine said me the two health systems work together advancing cancer research and the data breach at the Hutch impacted data for some UW patients who have not been seen at Fred Hutch.

“I think a lot of critical infrastructure in organizations, such as hospitals are no exception and are going to be very prime targets for this kind of behavior,” said FBI spokesperson Steve Bernd.

Right now, the Washington Attorney General's website lists 10 other data breaches involving medical information reported during just the months of October and November. That list does not include the new breach at the Fred Hutch.

The FBI calls these types of cyber security threats a one stop shop for criminals.

Their advice is to

• check accounts for suspicious activity
• install security patches as soon as available
• use strong passwords and multi-factor authentication
• and use an off-line storage back-up system for your sensitive information.

The FBI also asks that anyone who received a ransom note, report it.

And what is the Hutch doing? They said they quarantined computer servers, alerted the federal investigators and hired a forensic security firm.

Hutch also received two ransom demands, according to the lawsuit filed in the U.S. District Court in Seattle. The lawsuit states that his father, John Doe, is taking this action on behalf of himself, his son, and all others harmed.

Before the data breach, the lawsuit states that private information was private, but not anymore.

“Now, their private information is forever exposed and unsecure,” the lawsuit says, adding that the exposure of personal health information “to cybercriminals is a bell that cannot be unrung.”

The lawsuit is demanding a jury trial and seeking class-action status.

The full list of defendants in the suit are:

• Fred Hutchinson Cancer Center
• UW School of Medicine
• UW Medical Center
• Harborview Medical Center
• Valley Medical Center
• UW Physicians
• UW Neighborhood Clinics (d/b/a UW Medicine Primary Care)
• Airlift Northwest
• Children’s University Medical Group

The suit accuses the defendants of failing to protect private information after a data breach on March 25, 2022, in which the defendants “discovered suspicious activity associated with a single employee’s business email account.”

With this new breach, the lawsuit claims the current action “is simply part and parcel of defendants’ pattern of negligently inadequate data security.”

The lawsuit seeks class-action status and asks the court to award damages, relief, restitution, and more to the plaintiff and class members.