Cybercriminals Bully Cancer Patients With Swatting ThreatExtortion Demands, Lawsuits Pile Up After Fred Hutchinson Cancer Center Hack
A rash of swatting calls brought law enforcement agencies to the doorsteps of lawmakers, prosecutors, judges and other state and local officials during the Christmas holidays. Police say these bogus reports to 911 are dangerous pranks in which someone could get hurt.
See Also: Healthcare Sector Threat Brief
Now, cybercriminals are using the threat of swatting as a way to extort money from cancer patients of the Seattle-based Fred Hutchinson Cancer Center, which was hit in November with a cyberattack affecting about 1 million individuals.
According to a proposed class action lawsuit filed against the cancer center, cybercriminals have demanded that at least 300 current and former patients pay $50 to have their information scrubbed and to prevent that information from being sold on the dark web. In a few cases, fraudsters threatened to call in bogus 911 emergencies at the victim's home or location - if they don't pay up.
"Unfortunately, this is a common tactic threat actors use, and we have notified local and federal law enforcement of these messages," says the cancer center's website, acknowledging that some patients have received communications from the attackers.
Fred Hutchinson Cancer Center, an independent nonprofit that also serves as the cancer program provider of UW Medicine, detected "unauthorized activities" on portions of its clinical network on Nov. 19.
The institution said it immediately took steps to contain the activity, notified federal law enforcement and began an investigation with the assistance of a third-party forensic security firm.
The investigation determined that the attackers had obtained patient information from Fred Hutchinson systems between Nov. 19 and Nov. 25.
"Based on the information available, the criminal group responsible is outside the United States," Fred Hutchinson said in its public notice.
"Unfortunately, all organizations face cybersecurity risks, and multiple healthcare institutions have been targeted by these kinds of attacks in the past. In this instance, hackers exploited a vulnerability in a software called Citrix that allowed them to gain access to our network, similar to what they've done in hospitals across the country," the cancer center said.
The Citrix Bleed vulnerability was the subject U.S. government and healthcare industry warnings in late November (see: Feds, AHA Urge Hospitals to Mitigate Citrix Bleed Threats).
Fred Hutchinson said its IT and security team detected the unauthorized IT activity, mitigated the vulnerability and stopped additional issues. "We are continuously updating and enhancing systems to prevent external parties from accessing information and have implemented additional defensive tools and increased monitoring to help prevent events like this from occurring in the future."
As of Wednesday, nearly a dozen lawsuits filed against the institution in recent weeks and days allege claims of negligence and other missteps by Fred Hutchison in failing to protect plaintiffs and class members' sensitive information.
Some of the lawsuits also allege that plaintiffs have experienced a spike in spam emails and phone calls, despite being on the "do not call" list.
The cancer center advised patients not to pay any ransom demands. "Please report these messages to the FBI’s Internet Crime Complaint Center. Then block the sender and delete the message. In addition, you may consider reporting the message as spam through your email," the cancer center said.
Fred Hutchinson did not immediately respond to Information Security Media Group's requests for details, including comment on the claims involving swatting threats and extortion demands directed at patients.
The FBI in a statement to Information Security Media Group on Wednesday said it is aware of the swatting threats facing Fred Hutchinson patients but added that it has no information to indicate that a swatting event took place related to this breach.
"We worked with and continue to work with our law enforcement partners in the impacted jurisdictions regarding this threat and are not able to provide additional information," the FBI said.
"The FBI takes swatting very seriously because it can place innocent people at risk and takes responders away from real emergencies. While the FBI does not provide status updates on investigations, we appreciate proactive reporting from companies or individuals, which is key to the FBI's efforts to identify, locate and hold responsible cybercriminals for their actions. As a reminder, the FBI does not recommend paying ransoms because there is no guarantee that the record would be deleted. The FBI is aware that in similar incidents cybercriminals have been paid by companies or individuals to delete data and the data was not in fact deleted."
In relation to swatting in general and not just cyberattacks, the FBI said it has initiated the Virtual Command Center known as the National Common Operation Picture. "The NCOP-VCC is a collaborative effort between the FBI and law enforcement partners to track and create a real-time picture of swatting incidents. Established in May 2023, this initiative is open to any law enforcement agencies and fusion centers who wish to participate in tracking and sharing swatting information in respective jurisdictions."
Tactics Becoming 'More Extreme'
Some experts say the swatting threats against Fred Hutchinson patients involving the cyberattack are troubling. Brett Callow, a threat analyst at security firm Emsisoft, said it may be the first case of swatting used in cybercrime extortion.
"I fully expect that bad actors will eventually act on their threats. The tactics used have become progressively more extreme and, unfortunately, it seems inevitable that real-world violence will eventually become part of the extortion model," he said.
"This will be a direct consequence of ransom payments having ballooned to lottery jackpot levels. People are willing to do very bad things to get their hands on that amount of money."
Fred Hutchinson said information compromised in the breach varies by individual but may include name, address, phone number, email address, birthdate, Social Security number, health insurance information, medical record number, patient account number, dates of service, clinical information such as treatment or diagnosis, lab results or provider name.
The incident specifically involved Fred Hutchinson's IT systems, "but those systems also had some data for patients who received care at UW Medical Center, Harborview Medical Center and UW Medicine Primary Care clinics," the cancer center said in its breach notice.
Because Fred Hutchinson also provides laboratory services to many external healthcare institutions, data related to lab tests performed on patients cared for by other practices also may be affected.
So far, Fred Hutchinson said, it has no evidence that hackers accessed its Epic electronic medical records system. The organization's investigation, which is ongoing, has not found evidence suggesting that research study or sponsor data was affected in the incident.
The cyberattack against Fred Hutchinson is not the only incident the cancer center is currently handling. It has a public notice posted on its website about a recently lost laptop.
Fred Hutchinson said that on Oct. 27, it learned that one of its providers had lost a personal laptop while traveling.
"The provider used their laptop to access Fred Hutch email through the Microsoft Outlook application," the notice said. "The personal laptop was password protected and the provider initiated a remote wipe should the laptop come online. To date, the laptop has not connected to the internet, and we have no reason to believe that any of the information on the laptop was accessed."
Patient information potentially contained on the provider's email account includes name, address, phone number, birthdate, medical record number, patient account number, dates of service, and/or certain clinical information related to care at Fred Hutchinson. For a limited number of patients, a Social Security number also may have been affected.
The notice does not indicate how many individuals are potentially affected by the lost laptop.
*Updated with statement from the FBI on Jan. 10, UTC 21:43