The University of Washington and Fred Hutchinson Cancer Center have decided to settle a proposed class action data breach lawsuit for $11,500,000 and set aside $13,500,000 to enhance cybersecurity. The lawsuit is a result of a cyberattack and data breach identified after Thanksgiving in 2023. Hackers compromised its network and extracted the protected health information (PHI) of about 2.1 million people from November 10 to November 25, 2023. The stolen PHI included names, contact details, health data and Social Security numbers. Hunters International threat group conducted the attack and required a ransom payment to stop the exposure of the stolen information. Because no ransom was paid, the hackers sent to impacted patients individual ransom notes and threatened them that their stolen data would not be deleted but exposed online if they did not pay $50.
Multiple lawsuits had been filed because of the data breach. The lawsuits were combined into one lawsuit filed in the Superior Court for the State of Washington and King County. In re: Fred Hutchinson Cancer Center Data Breach Litigation, Fred Hutchinson Cancer Center is accused of negligence for not implementing reasonable and proper security procedures, unjust enrichment, breach of implied contract,
and Washington Consumer Protection Act violation. The University of Washington is accused of negligence, unjust enrichment, and breach of implied contract. The plaintiffs stated that they endured damages because of the data breach and the theft of their information. If the healthcare-covered entities implemented HIPAA encryption, this data breach report would have been avoided.
The defendants reject and deny all accusations and charges of wrongdoing. They disagree that the plaintiffs sustained any cognizable injury or damage; nevertheless, they decided to resolve the legal action to prevent the problems, uncertainty, and expense of continuous litigation. Under the proposed settlement, class members are eligible to file a claim for up to a $5,000 refund of recorded, out-of-pocket costs that were due to the data breach, such as losses associated with fraud and identity theft. Class members are also entitled to receive credit monitoring and identity theft protection services for two years and a cash fund payment of $599 pro rata.
Fred Hutchinson Cancer Center agreed to implement extra security procedures over the following 3 years. The costs of the security measures and enhancements in the following three years are at least $13,500,000. The court has given its preliminary approval of the settlement. The schedule of the final fairness hearing is on May 20, 2025. The due date for objecting to or excluding from the settlement is April 7, 2025, and the last day for submitting claims is May 7, 2025.
Image credit: logo©Fred Hutchinson Cancer Center / Chinnapong, AdobeStock
