More than 348,000 Washington residents have had their sensitive data exposed following a cyberattack on Mt. Baker Imaging and Northwest Radiologists earlier this year. According to a filing with the Washington Attorney General’s Office, the breach took place between January 20 and January 25, but was not publicly disclosed until July.
The stolen data includes highly sensitive personal and medical information, including:
- Full names
- Addresses
- Social Security numbers
- Driver’s license details
- Bank account information
- Military identification numbers
- Health insurance details
Mt. Baker Imaging, which operates six locations in Whatcom County and provides a range of diagnostic services like MRIs, CT scans, and mammograms, initially described the incident as a “computer network disruption” and stated it was cooperating with the FBI and external forensic investigators.
Nearly two months after the attack, the company posted a breach notice on its website, but that notification has since been removed. There is currently no visible notice on the website acknowledging the scale of the breach.
In statements, Northwest Radiologists and Mt. Baker Imaging said there was no evidence so far of “actual misuse of information,” though a class action lawsuit has since been filed in Whatcom County Superior Court. The complaint, filed on behalf of two local patients, accuses the medical company of negligence and failing to implement proper security safeguards to protect patients’ private information.
The lawsuit claims:
“Cyber and data security systems were so completely inadequate that it allowed cybercriminals to obtain files containing a treasure trove of thousands of patients’ private highly sensitive information.”
It further argues that the incident violated state and federal data protection laws and that affected patients could suffer from continued harm, including financial loss, wasted time, anxiety, and emotional distress.
Under Washington law, data breaches affecting more than 500 state residents must be reported to the Attorney General’s Office within 30 days of discovery, though that timeline may be extended if a disclosure could interfere with an ongoing criminal investigation.
The Attorney General’s Office has not yet provided a statement on the July filing.
The attack on Mt. Baker Imaging is one of several targeting Washington healthcare providers this year. National dialysis provider DaVita also experienced a cyberattack, affecting roughly 13,400 residents across Bellingham, Ferndale, and Burlington, as reported to the Attorney General’s Office.
