Since November 2023, Fred Hutchinson Cancer Center (Fred Hutch) and UW Medicine, and their patients and employees, have been dealing with the consequences of a mass data breach. The breach occurred after a Citrix cloud computing-related vulnerability called Citrix Bleed (CVE-2023-4966) was exploited by a foreign hacking group (APA Aponix, 2023; Waldman, 2024). The lack of scrutiny regarding the network vulnerability contributed to ransomware attacks targeting Fred Hutch’s patient clinical network. Ultimately, the health records of 2.1 million Fred Hutch and, through the ecosystem of shared patient records, UW Medicine patients’ health data were compromised (Alder, 2025).
It is imperative to note that the network vulnerability was disclosed by Citrix in October 2023 and a patch was issued on 10 October 2023. The Fred Hutch/UW Medicine breach occurred from 10-25 November 2023. The response gap demonstrates an oversight on the part of Fred Hutch and its record sharing affiliate, UW Medicine. They did not use their discretion to quickly implement the patch which opened the door for a mass breach (Cameyo, 2024; Unit 42, 2023).
In 2023 alone, 725 health data breaches contributed to 133 million health records being exposed or unlawfully shared (Alder, 2025). The Fred Hutch/UW Medicine breach is just one event among a large and unfortunately prevalent cybersecurity and policy issue. Despite the existence of the HIPAA Security Rule (Title 45, Code of Federal Regulations, Part 160; Subparts A and C of Part 164), which nationally protects electronic health records, breaches of health data still occur (HHS, 2013). While the existence of any law does not necessitate that infractions will not happen, the question remains of how HIPAA patient privacy policy can be improved. With clearer systems of accountability, medical institutes can be more prompt with their clinical network security.
Within HIPAA, as of now, medical institutes and third party service vendors (including cloud computing firms) are supposed to abide by the Business Associate Agreement (BAA). The BAA agreement provides that these third parties handling health data must abide by HIPAA rules around privacy (HHS, 2013). Inherently, the burden is placed on vendors for compliance in terms of network updates and security. While the general Security Rule also places responsibility on hospitals to securely store health data, there seems to be a gray area. It is unclear as to how hospitals remain accountable for reporting they have updated their systems beyond audits. Such gray areas create space for oversight such as the Fred Hutch/UW Medicine breach to continue.
In the current policy environment, HHS remains in-process for overhauling the Security Rule. If finalized, health care entities would be required to do multiple types of testing including vulnerability scanning every six months and yearly auditing to ensure HIPAA privacy compliance (Perry, Riga, 2025). Most importantly, these updates make up for some oversight as healthcare entities would be given less discretion in deciding whether to implement security measures as these would just be required (Perry, Riga 2025).
It is in the best interest of medical institutes and their patients to have the updated Security Rule passed. The addition of clear provisions for how hospitals will show they have complied with mandated testing remains necessary. Increasing the frequency of audits and tests (more than yearly and bi-yearly; perhaps quarterly is better) will hopefully decrease the propensity for breaches as well. At the very least, decrease the scale and severity.
References
ACA (2023, November 16). Thousands of Servers Exposed by Citrix Bleed Vulnerability. ACA. https://www.acaglobal.com/industry-insights/thousands-servers-exposed-citrix-bleed-vulnerability
Alder, Steve (2025). Fred Hutchinson Cancer Center Settles Class Action Data Breach lawsuit for $11.5M. The HIPAA Journal. https://www.hipaajournal.com/fred-hutchinson-cancer-center-data-breach-settlement/
Alder, Steve (2025, October 26). Healthcare Data Breach Statistics. The HIPAA Journal. https://www.hipaajournal.com/healthcare-data-breach-statistics/
Cameyo (2024, January 4). Citrix Bleed: A Deep Dive for IT Leaders. Cameyo. https://cameyo.com/citrix-bleed/
Citrix (2022). Customer Spotlight: How healthcare organizations improve patient care with innovation and agility. Citrix Systems, Inc. https://www.citrix.com/content/dam/citrix/en_us/documents/ebook/citrix-healthcare-customer-story-flipbook.pdf?srsltid=AfmBOor3Fg5G7lTe_lPoayK2QbDx6cyX3mvtVC6MXcdEdm7uSNipBJVW
Cybersecurity & Infrastructure Security Agency (2025). Guidance for Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed. CISA, Department of Homeland Security. https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed
Desai, Anokhy & Olivero, Amy (2023, April). Washington’s My Health, My Data Act. IAPP (International Association of Privacy Professionals). https://iapp.org/resources/article/washington-my-health-my-data-act-overview/
Health Sector Cybersecurity Coordination Center (2022). HC3: Sector Alert. HHS. https://www.hhs.gov/sites/default/files/citrix-adc-citrix-gateway-vulnerabilities-sector-alert-tlpclear.pdf
Perry, Benjamin W. & Riga, Stephen A. (2025, January 10). HHS Proposed Rule Would Increase Cybersecurity Requirements for Electronic Health Data. Ogletree Deakins. https://ogletree.com/insights-resources/blog-posts/hhs-proposed-rule-would-increase-cybersecurity-requirements-for-electronic-health-data
Savage, Victoria (2023, December 20). How to protect your organization against Citrix Bleed. LoginTC. https://www.logintc.com/blog/how-to-protect-your-organization-against-citrix-bleed/
Toolis, Brittany (2023, December 7). Seattle cancer patients face blackmail threats after recent Fred Hutch data breach. KIRO 7 News. https://www.kiro7.com/news/local/seattle-cancer-patients-face-blackmail-threats-after-recent-fred-hutch-data-breach/BCLXFK66DRAEDMRPMVBCUVOUDI/
Unit 42 (2023, November 1). Threat Brief: Citrix Bleed CVE-2023-4966. Palo Alto Networks. https://unit42.paloaltonetworks.com/threat-brief-cve-2023-4966-netscaler-citrix-bleed/
U.S. Department of Health and Human Services (2013, January 25). Business Associate Contracts. HHS. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
U.S. Department of Health and Human Services (2013, January 25). The Security Rule. HHS. https://www.hhs.gov/hipaa/for-professionals/security/index.html
UW Medicine Strategic Marketing & Communications (2024). UW Medicine | Fact Book. UW Medicine. https://www.uwmedicine.org/sites/stevie/files/2025-03/Fact%20Book%20Feb2025_Final.pdf
Waldman, Arielle (2024, January 4). December ransomware attacks disrupt healthcare organizations. TechTarget. https://www.techtarget.com/searchsecurity/news/366565197/December-ransomware-attacks-disrupt-healthcare-organizations
Washington State Health Care Authority (2025). Notice of privacy practices. Washington Health Care Authority. https://www.hca.wa.gov/about-hca/notice-privacy-practices
