Fred Hutchinson Cancer Center Lawsuits Mount After Cyberattack and Data Breach
More than half a dozen lawsuits have been filed against the Fred Hutchinson Cancer Center over a cyberattack and data breach that occurred over the Thanksgiving weekend. Unauthorized individuals gained access to its network where patient data was stored and removed files containing names, contact information, medical information, and Social Security numbers. The Hunters International hacking group claimed responsibility for the attack, and when the Fred Hutchinson Cancer Center refused to pay the ransom demand, they turned their attention to patients and started contacting them directly demanding payment of $50 to have their stolen data deleted. The hacking group claimed to have stolen the data of 800,000 patients, although the breach was reported to the HHS’ Office for Civil Rights by Fred Hutchinson Cancer Center as involving the data of up to 1,840,927 individuals.
Class action lawsuits are commonly filed after large data breaches, and it was inevitable that the affected individuals would take legal action given that they had been directly threatened by the individuals behind the attack. The lawsuits make similar claims, and it is therefore likely that they will be consolidated into a single class action lawsuit. The most common claims are that the Fred Hutchinson Cancer Center was negligent by failing to implement reasonable and appropriate safeguards to protect its internal networks and patient data against unauthorized access and that the breach occurred as a result of those security failures.
One of the lawsuits – Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – was filed in the Superior Court of the State of Washington in King County, and claims that the plaintiffs believed that the defendants had implemented and maintained reasonable and appropriate security practices due to the representations of the defendants, when that was not the case. Both of the named plaintiffs claim they first learned about the data breach when they were contacted directly by the hackers and threatened with the public release/sale of their sensitive data. They claim that the Fred Hutchinson Cancer Center failed to issue prompt notifications to allow them to take steps to protect themselves against identity theft and fraud.
The lawsuit claims the plaintiffs and class members now face grave and lasting consequences from the attack and have suffered injury and damages including a substantial and imminent risk of identity theft and medical identity theft, loss of confidentiality of highly sensitive PII/PHI, deprivation of the value of PII/PHI, and overpayment for services that did not include adequate data security, and other harms. In addition to negligence, the lawsuit alleges negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and a violation of the Washington Consumer Protection Act. The lawsuit seeks a jury trial and actual, statutory, and punitive damages, restitution, disgorgement, and nominal damages, and equitable, injunctive, and declaratory relief. Another lawsuit, Shawna Arneson v. Fred Hutchinson Cancer Center, was filed in the same court and makes similar claims, and alleges the actions of Fred Hutchinson Cancer Center violated HIPAA.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A third lawsuit – Doe v. Fred Hutchinson Cancer Center et al – was filed in the US District Court for the Western District of Washington by John Doe, the father of Jack Doe, and similarly situated individuals. Other defendants named in the lawsuit include UW School of Medicine, UW Medical Center, Harborview Medical Center, Valley Medical Center, UW Physicians, UW Neighborhood Clinics (dba UW Medicine Primary Care), Airlift Northwest, and Children’s University Medical Group.
Jack Doe received healthcare services from UW Medicine but was never a patient of the Fred Hutchinson Cancer Center; however, his data was shared with the Fred Hutchinson Cancer Center as both health systems work together to advance cancer research. The lawsuit alleges that the defendants failed to implement appropriate cybersecurity measures and failed to protect patients from “a flood of extortionary threats by cybercriminals.” The lawsuit alleges long-standing security failures, as the Fred Hutchinson Cancer Center also failed to prevent a breach of an employee email account in March 2022. The lawsuit seeks a jury trial and an award of damages, relief, and restitution.
Fred Hutchinson Cancer Center Data Breach Lawsuits
- Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – The plaintiffs are represented by Alexander F. Strong of Stobaugh & Strong P.C., Ben Barnow, Anthony L. Parkhill, and Riley W. Prince of Barnow and Associates.
- Doe v. Fred Hutchinson Cancer Center et al – The plaintiffs and class are represented by Turke & Strauss LLP.
- Shawna Arneson v. Fred Hutchinson Cancer Center – The plaintiffs are represented by Kim D. Stephens & Cecily C. Jordan of Tousley Brain Stephens PLLC.
Update: A settlement has been agreed upon to resolve the lawsuit. The defendants will create a $11.5 million settlement fund and $13.5 million will be invested in cybersecurity improvements.
