Recently, Fred Hutchinson Cancer Center, formerly Seattle Cancer Care Alliance, reported a data breach after an unauthorized party gained access to an employee email account as well as the sensitive consumer data contained within the account. At this time, the complete list of all the data elements compromised in the account has not yet been released. However, on May 25, 2022, Fred Hutch filed official notice of the breach and sent out data breach letters to all affected parties, informing them of what information was compromised.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Fred Hutchinson Cancer Center data breach, please see our recent piece on the topic here.
What We Know About the Fred Hutchinson Cancer Center Data Breach
Based on an official filing by Seattle Cancer Care Alliance, on March 26, 2022, the organization learned that an unauthorized party temporarily gained access to an employee’s email account. Upon learning of the incident, Fred Hutch secured the compromised email account and began an internal investigation. This investigation confirmed that the email account in question contained certain patients protected health information, as well as their personal data. Fred Hutch believes that the period of unauthorized access was between March 25, 2022 to March 26, 2022.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Fred Hutchinson Cancer Center then reviewed the affected files to determine exactly what information was compromised. While the extent of the breached information has not yet been released by Fred Hutch, the organization confirmed it consists of certain individuals’ personal and protected health information.
On May 25, 2022, Fred Hutchinson Cancer Center sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Fred Hutchinson Cancer Center
Fred Hutchinson Cancer Center is a medical care provider based in Seattle, Washington. Fred Hutch is the result of the recent merger between Seattle Cancer Care Alliance and Fred Hutchinson Cancer Research Center. The newly formed Fred Hutchinson Cancer Center is a single, independent, nonprofit organization that is now a part of UW Medicine and UW Medicine’s cancer program. Prior to the merger, Seattle Cancer Care Alliance employed 1,811 employees and generated approximately $265 million in annual revenue, and Fred Hutchinson Cancer Center employs more than 3,000 people and generates approximately $984 million in annual revenue.
Data Breaches Affecting Personal Health Information Paragraph on a Related Topic
Protected health information refers to identifying information relating to a patient’s past, present or future health condition or how a patient pays for their healthcare. To be considered protected health information, data must contain one or more identifiers that either directly identifies the patient or can be used in conjunction with other information to identify the patient. Thus, when protected health information gets exposed to an unauthorized party, it means that with a little work, they can identify the patient it belongs to. But why does this matter?
The consequences of a healthcare data breach can be severe. Often, the data obtained through a healthcare data breach provides the hacker with enough information to commit identity theft or other frauds, much like in a traditional data breach involving financial information. However, the identity theft that stems from a healthcare data breach is harder to rectify and often comes at a far greater cost to the victim.
Hackers often orchestrate healthcare data breaches in hopes of obtaining valuable information they can then sell to a third party. This third party can then use the purchased data to obtain medical treatment in the victim’s name. This carries financial consequences because the victim’s insurance will get billed for procedures they never had performed. Or, if a patient doesn’t have insurance, they will get the bill in their name.
However, the other more serious risk is that a person who is pretending to be you provides the doctor or surgeon with information about themselves that ends up in your medical record. For example, a fake patient may give the doctor their own list of allergies or the medications they are taking. This can—and often does—result in inaccuracies on a victim’s medical record, which can result in the victim not receiving the appropriate treatment the next time they visit the doctor.
Data breaches involving protected health information must be taken seriously. For those looking to learn more about what to do in the wake of such a breach, as well as their ability to file a legal claim against the provider who leaked their data, speaking with a data breach lawyer is a good first step.