In a disturbing development, Fred Hutchinson Cancer Center patients have found themselves at the mercy of cybercriminals following a cyberattack last November that has left about 1 million individuals compromised. The center has been embroiled in a series of lawsuits and a barrage of email threats that have escalated to include "swatting" — a hoax practice where false emergencies are reported to law enforcement to provoke a heavy response towards the victim's location.

According to a Seattle Times report, victims have received spam with menacing messages, threatening to sell their sensitive data, including Social Security and phone numbers, medical histories, lab results, and insurance history to data brokers and on black markets unless a fee is paid. Cybercriminals, leveraging the fear generated by swatting threats, have demanded at least 300 current and former patients pay $50 to have their information supposedly scrubbed from being sold online.

The attackers, identified as the Hunters International ransomware gang, directly targeted the cancer center's patients with personalized extortion threats, a departure from the typical ransomware methods. As reported by Secureblink, the group has not only claimed to possess names, Social Security numbers, but also has bragged about having phone numbers, medical history, lab results, and insurance details of over 800,000 patients, demanding $50 for data protection.

The center's website acknowledged the threats and advised patients against caving to the extortion demands. "Unfortunately, all organizations face cybersecurity risks," Fred Hutchinson explained, adding that the attack exploited a vulnerability in Citrix software. In response, the institution's IT and security team detected and mitigated the unauthorized activity and implemented additional defenses to protect against future breaches, according to an article from BankInfoSecurity.

While the FBI has been notified and is aware of the swatting threats, it stated that no information indicates a swatting event actually took place related to this breach. "The tactics used have become progressively more extreme and, unfortunately, it seems inevitable that real-world violence will eventually become part of the extortion model," Brett Callow, a threat analyst at Emsisoft, told BankInfoSecurity.

Amid the ongoing lawsuits and increased spam emails and phone calls reported by patients, Fred Hutchinson Cancer Center is grappling with the ramifications of the data breach and the subsequent targeted threats. This cyberattack is not the center's sole worry, as a public notice also cited a lost laptop potentially containing patient information. Fred Hutchinson is continuing its investigation into the breach and has committed to notifying affected patients within the required deadline set by the Office of Civil Rights.