A 2023 cyberattack on Fred Hutchinson Cancer Center led to a major settlement impacting millions of patients, employees, and insurance holders.
Fred Hutchinson Cancer Center has agreed to pay $11.5 million to settle a class action lawsuit stemming from a cyberattack in November 2023 that exposed the personal information of patients, employees, and insurance policyholders. The data breach prompted nine lawsuits that were later consolidated into one. The settlement was approved by the King County Superior Court on May 20, 2025.
The breach impacted the cancer center’s clinical network and left individuals vulnerable to identity theft, spam emails, extortion threats, and even "swatting" incidents. According to the court-approved agreement, Fred Hutch will also implement a broad range of cybersecurity upgrades.
The attack exploited a known vulnerability in Citrix software referred to as ‘Citrix Bleed’ that allowed hackers to bypass authentication. Fred Hutch responded by taking its network offline within 72 hours and engaging forensic investigators. Initially, about 1 million individuals were reported affected, but that number was later revised to include around 2.1 million.
Out of the total affected, approximately 140,000 people filed claims before the May 7 deadline. Valid claims could receive up to $599, with those able to document financial harm eligible for up to $5,000. The overall $52.5 million settlement package includes cash payments, two years of medical fraud monitoring, and $13.5 million in system security improvements.
Patients from UW Medicine were also affected because of their partnership with Fred Hutch, although UW Medicine’s internal systems were not breached.
Fred Hutch spokesperson Christina VerHeul reiterated the center’s commitment to protecting personal data and outlined plans for security enhancements. Attorneys for the class described the settlement terms as fair and the claims rate as above average for cases of this nature.
The FBI confirmed that it is continuing to investigate the incident but has not released details on suspects or arrests. Fred Hutch maintains that no ransom was paid, and it is not aware of any confirmed sales of the stolen data to date.
Healthcare providers continue to face elevated cyber risk due to the volume and sensitivity of the data they manage. The Fred Hutch incident adds to a series of recent breaches across the U.S. health sector, including the 2024 Change Healthcare attack that impacted nearly 200 million patients. These events point to a pressing need for stronger cybersecurity frameworks within institutions that handle protected health information. In addition to financial consequences, breaches frequently lead to reputational harm and greater regulatory oversight.
“Citrix Bleed” refers to a vulnerability in Citrix Workspace software that allowed hackers to bypass authentication protocols. It was actively exploited in multiple breaches, including Fred Hutch’s, prompting federal cybersecurity warnings.
Fred Hutch and UW Medicine collaborate on cancer care and research. Some UW Medicine patient data was stored or accessible through shared systems involved in the breach.
Those who missed the May 7 deadline are generally no longer eligible for a cash payment but may still receive fraud monitoring services or future notifications, depending on the terms of the settlement.
The cancer center has committed to multiple measures, including system audits, staff training, IT system consolidation, enhanced access controls, and partnerships with cybersecurity consultants over the next three years.
Affected individuals are advised to monitor bank accounts, credit reports, and medical records for unusual activity. They should also expect mailed notices about the settlement and instructions for any follow-up actions.