US medical org pays $50M+ to settle case after crims raided data and threatened to swat cancer patients
A Seattle cancer facility has agreed to fork out around $52.5 million as part of a class action settlement linked to a Thanksgiving 2023 cyberattack where criminals directly threatened cancer patients with swat attacks.
The Fred Hutchinson Cancer Center (Fred Hutch) disclosed its November 2023 attack a month later, after it confirmed that criminals had made off with personal and sensitive data, including health insurance information, patients’ treatments, diagnoses, lab results, and more.
That data was then used by the attackers in question to carry out highly aggressive extortion tactics, which according to the original class action complaint [PDF], allegedly included directly contacting some patients via email and threatening to swat them. The complaint claimed:
The FBI was called in.
Cybercriminals often use pilfered data as a bargaining chip with the organization from which it was stolen: pay up or we publish your data – that’s the way it usually goes.
However, tactics like sending threatening emails to and calling in fake bomb threats to patients’ homes aren’t unheard of – Karakurt has been known to be similarly aggressive in the past – but instances of swattings being linked to cyberattacks are much more of a rarity.
The FBI recently felt compelled to issue a PSA about the practice, but these swatting cases weren’t related to cyberattacks so much as they were politically charged.
Breaking down the settlement [PDF], Fred Hutch will pay around $11.5 million in cash to members of the class action, roughly $13.5 million in secure infrastructure improvements, and close to $25.5 million for medical fraud monitoring and insurance for class members.
Lawyers brought the class action to Fred Hutch on behalf of around 2.1 million people, although only 140,000 of those applied for settlement benefits by the May 7 deadline.
The validity of each of the claims is still yet to be determined for all, but each person who submitted before the deadline will be eligible for a payment of up to $599, or up to $5,000 for those who can demonstrate material losses as a result for the attack.
The Register contacted Fred Hutch for a response but it did not immediately respond.
In a statement given to the Seattle Times, a spokesperson for the cancer center said it takes the security of its data “very seriously,” that Fred Hutch isn’t aware that any patient data has been sold since the attack, and it did not pay any ransom demand.
Hunters International, the ransomware organization that claimed responsibility for the attack on Fred Hutch, initially claimed 1 million patients had their data stolen, but this number was later revised to around 800,000.
However, because the cancer center worked so closely with the nearby medical department within the University of Washington, some of the patients at UW were also affected by the theft.
Hunters International, or just “Hunters,” is known for its willingness to attack any and all kinds of organizations, including plastic surgeons’ offices; during one such attack it leaked sensitive pre-op images of patients.
While it is not the most prolific of the ransomware gangs out there, it has laid claim to some major scalps, with ICBC, Tata Technologies, and Fred Hutch arguably being the biggest and most impactful.
The criminals working under the Hunters brand are thought to have wormed their way into Fred Hutch’s systems by exploiting the CitrixBleed vulnerability, the critical bug that was being mass-exploited by at least two ransomware groups weeks before the Fred Hutch attack.
Group-IB researchers said recently that the group’s higher-ups told affiliates that ransomware has become “unpromising, low-converting, and extremely risky,” hinting at an apparent rebrand.
While Hunters is still plodding along, Group-IB said it believes the group’s leaders are focusing more on its World Leaks project – an extortion-only operation. No ransomware. ®
READ MORE HERE