Even more cyberattacks on hospitals!

Cyber-scumbags attack a cancer hospital and gut it for patient data.
23 January 2024

Recent cyberattacks on hospitals include the Fred Hutchinson Cancer Center. Image via the Seattle Times.

• Cyberattacks on hospitals are on the rise.
• A Thanksgiving attack included a cancer center.
• Cyberattacks on hospitals are relatively easy, due to a mixture of legacy tech and staggered digital transformation.

Cyberattacks on hospitals have become an increased threat in recent years. Although the technology used in operating theaters is top of the range and carefully checked, over on the admin side, a combination of rushed digital transformation and legacy software leaves a huge attack surface wide open.

Happy Thanksgiving

On the morning of Thanksgiving 2023, Ardent Health Services took its services offline following a ransomware attack. That wasn’t the only cyberattack on a hospital: the Fred Hutchinson Cancer Center was also targeted by cybercriminals.

Although the attack on Ardent had instantaneous effect, the cyberattack on Fred Hutchinson didn’t immediately have clear implications. Teams noticed some “unauthorized activity” on “limited parts” of the healthcare system’s clinical network, according to Christina VerHeul, the organization’s associate vice president of communications.

In the immediate aftermath, VerHeul said “The reality is, we don’t know to what extent information has been obtained, nor any of the details of what that information is.”

The investigation ran on into this year and now the effects of the cyberattack on the hospital are being felt. The personal information of roughly 1 million patients was leaked, leading to email threats from hackers and escalating menacing messages.

Patients are receiving “swatting” threats and spam emails warning that unless a fee is paid, patients’ names, Social Security and phone numbers, medical history, lab results and insurance history will be sold to data brokers and on black markets.

Steve Bernd, a spokesperson for FBI Seattle, said last week there’s been no indication of any criminal swatting events, which occur when a bogus claim is made to law enforcement so that emergency response officers, like SWAT teams, show up at a person’s home.

Fred Hutchinson patient JM has been inundated with spam emails since the breach. In an email to the Seattle Times, he credits Fred Hutchinson with saving his life after his diagnosis of follicular lymphoma over 10 years ago.

Cyberattacks on hospitals.

How low can you go? Stealing data from cancer patients low?

“I have absolutely nothing bad to say about the facility and the providers in it,” JM wrote. “But this cyberhack has got me way spooked.”

That being said, the center’s communication efforts haven’t been up to scratch. JM hasn’t received direct responses to his requests for information about the data leak.

Since the hack, Fred Hutchinson has sent notifications through MyChart to patients, posted updates on its online FAQ page, and mailed letters out to patients, said VerHeul. Apparently, investigations have revealed the breach accessed patient information between November 19th and 25th.

Cyberattacks on hospitals add stress to recovering patients

Cyberattacks on hospitals take different forms: when Ardent was hit, hospitals had to close to emergency patients, putting lives at risk. In the case of the Fred Hutchinson Center, all clinics remained open following the attack but patients have been the direct targets of bad actors.

The cyberattack primarily impacted clinical data of former and current Fred Hutchinson patients, although the information of some UW Medicine patients was also leaked, according to hospital leaders.

While many details about the breach are still under investigation, Fred Hutchinson has said it believes hackers “exploited a vulnerability” in a workspace software called Citrix that allowed them to gain access to its network.

The weakness is known as the “Citrix Bleed” and federal security teams say it allows threat actors to bypass password requirements and multifactor authentication measures.

Cybersecurity is rarely taken seriously in sectors that don’t consider themselves to be at risk; sensitive personal data managed by hospital systems should be treated more carefully, and that means investing.