Cybercrime
,
Fraud Management & Cybercrime
,
Ransomware
Extortion Demands, Lawsuits Pile Up After Fred Hutchinson Cancer Center Hack
A rash of swatting calls brought law enforcement agencies to the doorsteps of lawmakers, prosecutors, judges and other state and local officials during the Christmas holidays. Police say these bogus reports to 911 are dangerous pranks in which someone could get hurt.
See Also: JavaScript and Blockchain: Technologies You Can’t Ignore
Now, cybercriminals are using the threat of swatting as a way to extort money from cancer patients of the Seattle-based Fred Hutchinson Cancer Center, which was hit in November with a cyberattack affecting about 1 million individuals.
According to a proposed class action lawsuit filed against the cancer center, cybercriminals have demanded that at least 300 current and former patients pay $50 to have their information scrubbed and to prevent that information from being sold on the dark web. In a few cases, fraudsters threatened to call in bogus 911 emergencies at the victim’s home or location – if they don’t pay up.
“Unfortunately, this is a common tactic threat actors use, and we have notified local and federal law enforcement of these messages,” says the cancer center’s website, acknowledging that some patients have received communications from the attackers.
Fred Hutchinson Cancer Center, an independent nonprofit that also serves as the cancer program provider of UW Medicine, detected “unauthorized activities” on portions of its clinical network on Nov. 19.
The institution said it immediately took steps to contain the activity, notified federal law enforcement and began an investigation with the assistance of a third-party forensic security firm.
The investigation determined that the attackers had obtained patient information from Fred Hutchinson systems between Nov. 19 and Nov. 25.
“Based on the information available, the criminal group responsible is outside the United States,” Fred Hutchinson said in its public notice.
“Unfortunately, all organizations face cybersecurity risks, and multiple healthcare institutions have been targeted by these kinds of attacks in the past. In this instance, hackers exploited a vulnerability in a software called Citrix that allowed them to gain access to our network, similar to what they’ve done in hospitals across the country,” the cancer center said.
The Citrix Bleed vulnerability was the subject U.S. government and healthcare industry warnings in late November (see: Feds, AHA Urge Hospitals to Mitigate Citrix Bleed Threats).
Fred Hutchinson said its IT and security team detected the unauthorized IT activity, mitigated the vulnerability and stopped additional issues. “We are continuously updating and enhancing systems to prevent external parties from accessing information and have implemented additional defensive tools and increased monitoring to help prevent events like this from occurring in the future.”
As of Wednesday, nearly a dozen lawsuits filed against the institution in recent weeks and days allege claims of negligence and other missteps by Fred Hutchison in failing to protect plaintiffs and class members’ sensitive information.
Some of the lawsuits also allege that plaintiffs have experienced a spike in spam emails and phone calls, despite being on the “do not call” list.
The cancer center advised patients not to pay any ransom demands. “Please report these messages to the FBI’s Internet Crime Complaint Center. Then block the sender and delete the message. In addition, you may consider reporting the message as spam through your email,” the cancer center said.
Neither Fred Hutchinson nor the FBI immediately responded to Information Security Media Group’s requests for details, including comment on the claims involving swatting threats and extortion demands directed at patients.
Tactics Becoming ‘More Extreme’
The Register reported last week that Fred Hutchison had confirmed that the cancer center was aware of swatting threats against some patients and that the institution had notified the FBI and Seattle police.
Some experts say the swatting threats against Fred Hutchinson patients involving the cyberattack are troubling. Brett Callow, a threat analyst at security firm Emsisoft, said it may be the first case of swatting used in cybercrime extortion.
“I fully expect that bad actors will eventually act on their threats. The tactics used have become progressively more extreme and, unfortunately, it seems inevitable that real-world violence will eventually become part of the extortion model,” he said.
“This will be a direct consequence of ransom payments having ballooned to lottery jackpot levels. People are willing to do very bad things to get their hands on that amount of money.”
Most recent swatting incidents have been tied to criminal activities such as hate crimes or have targeted politicians or other officials involved in controversies.
Breach Details
Fred Hutchinson said information compromised in the breach varies by individual but may include name, address, phone number, email address, birthdate, Social Security number, health insurance information, medical record number, patient account number, dates of service, clinical information such as treatment or diagnosis, lab results or provider name.
The incident specifically involved Fred Hutchinson’s IT systems, “but those systems also had some data for patients who received care at UW Medical Center, Harborview Medical Center and UW Medicine Primary Care clinics,” the cancer center said in its breach notice.
Because Fred Hutchinson also provides laboratory services to many external healthcare institutions, data related to lab tests performed on patients cared for by other practices also may be affected.
So far, Fred Hutchinson said, it has no evidence that hackers accessed its Epic electronic medical records system. The organization’s investigation, which is ongoing, has not found evidence suggesting that research study or sponsor data was affected in the incident.
The cyberattack against Fred Hutchinson is not the only incident the cancer center is currently handling. It has a public notice posted on its website about a recently lost laptop.
Fred Hutchinson said that on Oct. 27, it learned that one of its providers had lost a personal laptop while traveling.
“The provider used their laptop to access Fred Hutch email through the Microsoft Outlook application,” the notice said. “The personal laptop was password protected and the provider initiated a remote wipe should the laptop come online. To date, the laptop has not connected to the internet, and we have no reason to believe that any of the information on the laptop was accessed.”
Patient information potentially contained on the provider’s email account includes name, address, phone number, birthdate, medical record number, patient account number, dates of service, and/or certain clinical information related to care at Fred Hutchinson. For a limited number of patients, a Social Security number also may have been affected.
The notice does not indicate how many individuals are potentially affected by the lost laptop.