Fred Hutchinson Cancer Center Settles Class Action Data Breach Lawsuit for $11.5M
Fred Hutchinson Cancer Center and the University of Washington have agreed to pay $11,500,000 to settle a proposed class action data breach lawsuit and have committed to investing $13,500,000 to improve cybersecurity. The lawsuit stems from a cyberattack and data breach discovered after the Thanksgiving weekend in 2023. Hackers breached its network and stole the protected health information of approximately 2.1 million individuals between November 10 and November 25, 2023, including names, contact information, medical information, and Social Security numbers. The attack was conducted by the Hunters International threat group, which demanded a ransom payment to prevent the publication of the stolen data. When the ransom was not paid, the affected patients were sent individual ransom demands and were told that they needed to pay $50 to have their stolen data deleted, otherwise, it would be published online.
Several lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – In re: Fred Hutchinson Cancer Center Data Breach Litigation – in the Superior Court for the State of Washington in and for King County. The lawsuits asserted several claims against Fred Hutchinson Cancer Center, including negligence for failing to implement reasonable and appropriate security measures, breach of implied contract, unjust enrichment, and a violation of the Washington Consumer Protection Act, and against the University of Washington for negligence, breach of implied contract, and unjust enrichment. The plaintiffs claimed to have suffered damages as a result of the incident and the theft of their data.
The defendants denied and continue to deny all allegations and charges of wrongdoing and liability, and that the plaintiffs suffered any cognizable damage or harm; however, the decision was made to settle the lawsuit to avoid the risks, uncertainty, and cost of continuing the litigation. Under the terms of the proposed settlement, class members may submit a claim for up to $5,000 for reimbursement of documented, out-of-pocket losses that were caused as a direct result of the data breach, including losses relating to fraud and identity theft. Class members can also claim two years of credit monitoring and identity theft protection services, and a pro rata cash fund payment of $599.
Fred Hutchinson Cancer Center has committed to implementing additional security measures and will continue to do so over the next 3 years. Fred Hutchinson Cancer Center values the security measures and improvements over the next three years at no less than $13,500,000. The settlement has received preliminary approval from the court and the final fairness hearing is scheduled for May 20, 2025. The deadline for objecting to or opting out of the settlement is April 7, 2025, and claims must be submitted by May 7, 2025.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While $11.5 million has been made available to cover claims and costs, according to The Seattle Times, the settlement is expected to cost approximately $52 million, as the credit monitoring services cost more than $25 million, and $13.5 million has been spent on security improvements.
