Fred Hutch Cancer Center clinical network breached

The organization reported that it detected intrusion over the Thanksgiving holiday. All clinics and the MyChart patient portal are operating.
By Andrea Fox
03:02 PM

Photo by: FatCamera/Getty Images

The Fred Hutchinson Cancer Center, an independent organization also serving as the cancer program for the University of Washington School of Medicine, said Friday that it was still assessing the potential impact on patients and employees.

WHY IT MATTERS

According to the Fred Hutch Cancer Center website, a criminal group outside of the United States is responsible for the unauthorized activity on the clinical network discovered on November 19.

The center's Epic electronic health records, as well as UW Medicine's network, do not appear to be impacted, but the investigation by federal law enforcement is ongoing.

The areas of the clinical network breached by the unauthorized users may contain patient information, but it could take weeks to find out, said Christina VerHeul, the organization’s associate vice president of communications, told The Seattle Times.

"The reality is, we don’t know to what extent information has been obtained, nor any of the details of what that information is," VerHeul said.

We spoke with VerHeul, but there is no update on the data security incident beyond the center's press statement at this time.

THE LARGER TREND

Last year the Fred Hutchinson Cancer Research Center merged with the Seattle Cancer Care Alliance to become the Fred Hutchinson Cancer Center. 

While Fred Hutch's precision oncology research system is not thought to be affected by the attack, merging health system networks can present challenges to cybersecurity. Combining legacy systems and siloed data, while a boost for interoperability, can elevate cybersecurity risks.

When CommonSpirit Health, which formed when Dignity Health and Catholic Health Initiatives merged in 2019, suffered a ransomware attack in October, the breach not only knocked electronic health record systems offline and disrupted medical operations across several states for nearly two weeks, it also affected Virginia Mason Franciscan Health. VMFH merged with CHI Franciscan, owned by CommonSpirit, in 2021.

That year, cancer software vendor Elekta was also attacked, exposing the protected health information of cancer patients and knocking some cancer treatments offline at Intermountain Health and at other health systems that use the software.

Exfiltrating high-profile or sensitive patient data can itself be a primary target for some cybercriminals. 

Earlier this year, an unauthorized user hacked into and stole sensitive photos of nearly 3,000 patients from the Lehigh Valley Health Network in Pennsylvania, demanding $5 million and eventually exposing those photos on the dark web.

Cybercriminals are increasingly going after individual patients, according to Dr. Eric Liederman, director of medical informatics for the Permanente Medical Group. Some patients know they could be targeted in a data breach of their healthcare providers and are reluctant to share health information because of it, he said at the HIMSS Cybersecurity Forum in September. 

ON THE RECORD

"Fred Hutch is committed to the safety, wellbeing and safeguarding of patient and employee information and is continuously updating and enhancing systems to prevent external parties from accessing information," the organization said in a press statement. "We have implemented additional defensive tools and increased monitoring to further protect data."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.