Fred Hutchinson Cancer Center and the University of Washington have agreed to a $11.5 million settlement and committed $13.5 million to cybersecurity improvements. This followed a major data breach in 2023 that exposed the personal and medical information of 2.1 million individuals.
What happened
Fred Hutchinson Cancer Center and the University of Washington have agreed to pay $11.5 million to settle a class action lawsuit following a major data breach in 2023. In addition, they have committed $13.5 million to enhance cybersecurity measures over the next three years. The settlement, which awaits final court approval, provides compensation to affected individuals and aims to prevent future breaches.
The backstory
The data breach occurred between November 10 and November 25, 2023, when cybercriminals from the Hunters International threat group infiltrated the Fred Hutchinson Cancer Center’s network. The attack compromised the personal and protected health information (PHI) of approximately 2.1 million individuals, exposing names, contact details, medical records, and Social Security numbers. After the institution refused to pay a ransom, the hackers took the unprecedented step of directly extorting patients, demanding $50 to delete their data or risk having it published online.
Going deeper
In response to the breach, multiple lawsuits were filed against Fred Hutchinson Cancer Center and the University of Washington, which were consolidated into a single case—In re: Fred Hutchinson Cancer Center Data Breach Litigation—in the Superior Court of Washington for King County. The plaintiffs accused the institutions of negligence, breach of implied contract, unjust enrichment, and violations of consumer protection laws. The lawsuit claimed that inadequate security measures led to the breach and that victims suffered financial and emotional harm.
Despite denying any wrongdoing, the defendants opted to settle to avoid prolonged litigation. The settlement includes compensation of up to $5,000 for documented financial losses related to fraud or identity theft, two years of credit monitoring, and a $599 pro-rata cash payout per class member. The court has given preliminary approval, with a final fairness hearing set for May 20, 2025. Individuals affected by the breach have until April 7, 2025, to object or opt out, and claims must be submitted by May 7, 2025.
Impact
The settlement impacts multiple stakeholders:
- Affected patients receive financial relief and identity protection, but the risk of identity fraud persists.
- Fred Hutchinson Cancer Center and University of Washington face financial and reputational consequences while committing resources to cybersecurity improvements.
- The healthcare industry sees this case as a precedent for handling data breaches and the growing threat of cyberattacks.
Why it matters
The Fred Hutchinson Cancer Center and University of Washington data breach settlement reflects the growing risks and legal repercussions of cyberattacks in the healthcare industry. While the settlement offers financial relief and security enhancements, it serves as a reminder to other healthcare organizations, of the importance of proactive cybersecurity measures. As cyber threats evolve, healthcare institutions must prioritize data security to protect patient information and maintain public trust.
See also: HIPAA Compliant Email: The Definitive Guide
FAQS
What is a data breach?
A data breach occurs when unauthorized individuals gain access to sensitive or confidential information, often leading to data theft or exposure.
See also: Types of breaches
How can I protect my personal data online?
Use strong, unique passwords, enable two-factor authentication (2FA), monitor your accounts for suspicious activity, and avoid sharing sensitive information on unsecured platforms.
What legal actions can be taken after a data breach?
Affected individuals can file lawsuits, join class action cases, or seek compensation through settlements if negligence is proven.
See also: Legal liabilities associated with a data breach
Tshedimoso Makhene
