About 6 lawsuits were filed against the Fred Hutchinson Cancer Center because of a cyberattack and data breach that happened on the Thanksgiving weekend of 2023. Unauthorized persons acquired access to its system where patient information was kept and extracted files that contain names, contact details, Social Security numbers, and medical data. The Hunters International hacking group professed to be behind the cyberattack. When the Fred Hutchinson Cancer Center declined to give ransom payments, they started contacting the patients directly and asking them to pay $50 for the deletion of their stolen data. The hacking group stated it had stolen the information of 800,000 patients.
It is common for class action lawsuits to be filed following big data breaches, and it was unavoidable that the impacted persons would file a lawsuit simply because they were directly endangered by the people responsible for the attack. The legal cases typically have the same allegations, and as a result, they are combined into one class action lawsuit. The allegations include the negligence of Fred Hutchinson Cancer Center for failing to apply reasonable and proper safety measures to secure its internal systems and patient information against unauthorized access and that the data breach happened because of those security breakdowns.
Because of the cyberattack on Fred Hutchinson Cancer Center and the resulting data breach, the following lawsuits have been filed:
1. Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and the University of Washington with plaintiffs’ representatives Ben Barnow, Riley W. Prince, and Anthony L. Parkhill of Barnow and Associates, and Alexander F. Strong of Stobaugh & Strong P.C.
The Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and the University of Washington lawsuit was submitted in the Superior Court of the State of Washington in King County and states that the plaintiffs assumed that the defendants had put in place and kept reasonable and proper security procedures because of the representations of the defendants when that wasn’t the fact. The two named plaintiffs assert they first discovered the data breach after the hackers directly called and threatened to publicly release/sell their sensitive information. They state that the Fred Hutchinson Cancer Center did not send immediate notifications so they could do something to avert identity theft and fraud.
The lawsuit states the plaintiffs and class members today deal with serious and sustained effects from the cyberattack and have experienced injury and problems such as a sizeable and impending risk of identity theft, breach of privacy of highly sensitive PII/PHI, loss of the value of PII/PHI, and excessive payment for services that didn’t include sufficient data protection and other adverse effects. Besides negligence, the lawsuit includes these allegations: a violation of the Washington Consumer Protection Act, negligence per se, breach of implied contract, breach of fiduciary duty, and unjust enrichment. The lawsuit wants actual, statutory, and punitive damages and a jury trial, disgorgement, restitution, and nominal damages, and equitable, injunctive, and declaratory relief.
2. Shawna Arneson v. Fred Hutchinson Cancer Center with plaintiffs’ representatives Cecily C. Jordan and Kim D. Stephens of Tousley Brain Stephens PLLC.
The Shawna Arneson v. Fred Hutchinson Cancer Center lawsuit was submitted in the same court and consists of identical claims, and states that the actions of Fred Hutchinson Cancer Center were a HIPAA violation.
3. Doe v. Fred Hutchinson Cancer Center et al with plaintiffs and class’ representative Turke & Strauss LLP.
In the US District Court for the Western District of Washington, John Doe, the father of Jack Doe, and likewise situated persons filed the Doe v. Fred Hutchinson Cancer Center et al lawsuit. Other defendants mentioned in the lawsuit are UW Medical Center, UW School of Medicine, Valley Medical Center, UW Neighborhood Clinics (also known as UW Medicine Primary Care), UW Physicians, Harborview Medical Center, Children’s University Medical Group, and Airlift Northwest.
Jack Doe got medical services from UW Medicine but never went to Fred Hutchinson Cancer Center; nevertheless, his information was provided to the Fred Hutchinson Cancer Center since the two health systems work jointly for cancer research. The lawsuit claims that the defendants did not use proper cybersecurity procedures and did not safeguard patients against extortionary threats by cybercriminals. The lawsuit claims security failures, since the Fred Hutchinson Cancer Center likewise did not stop an employee email account breach in March 2022. The lawsuit wants a jury trial and compensation of damages, restitution, and relief.