In January 2024, hackers breached the systems of Northwest Radiologists / Mt. Baker Imaging (MBI), gaining unauthorized access to sensitive patient records of over 348,000 Washington residents. The compromised data included full names, Social Security numbers, diagnoses, treatments, addresses, driver’s license numbers, email addresses, phone numbers, and patient IDs. While the company claimed no evidence of misuse, the breach exposed highly sensitive medical and personally identifiable information (PII), posing long-term risks of identity theft, fraud, and emotional distress.The company delayed notifications for nearly 10 months, initially downplaying the incident as a 'computer network disruption' before admitting it was a data breach. A class-action lawsuit was filed in April 2024, alleging negligence and inadequate cybersecurity, violating state and federal laws. The breach’s scale and the nature of the stolen data including medical histories and financial identifiers heighten the severity, as such information is prime for exploitation in fraud, phishing, or blackmail. The company’s slow response and lack of transparency further exacerbated the fallout.
TPRM report: https://www.rankiteo.com/company/mt.-baker-imaging-llc
"id": "mt.2802328110625",
"linkid": "mt.-baker-imaging-llc",
"type": "Breach",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '348,000+ Washington residents',
'industry': 'Diagnostic Imaging',
'location': 'Whatcom County, Washington, USA',
'name': 'Mt. Baker Imaging and Northwest Radiologists',
'size': '6 locations',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Incident response line (Mon–Fri, 9 AM–9 PM ET)',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '348,000+',
'personally_identifiable_information': ['Names',
'Social Security '
'numbers',
'Addresses',
'Driver’s license '
'numbers',
'Email addresses',
'Phone numbers',
'Patient IDs',
'Diagnosis/treatment '
'records'],
'sensitivity_of_data': 'High (includes SSNs, medical '
'diagnoses, treatment details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2023-01-20',
'date_publicly_disclosed': '2023-03-01',
'description': 'Hackers accessed sensitive patient records at Mt. Baker '
'Imaging and Northwest Radiologists in January 2023, '
'compromising data of over 348,000 Washington residents. The '
'breach included personally identifiable information (PII) '
'such as names, Social Security numbers, diagnoses, treatment '
'details, addresses, driver’s license numbers, email '
'addresses, phone numbers, and patient identification numbers. '
'The company delayed notifying affected individuals and the '
'state for nearly 10 months, citing an ongoing investigation. '
'A class-action lawsuit was filed in April 2023, alleging '
'negligence and inadequate security measures.',
'impact': {'brand_reputation_impact': 'Significant (delayed disclosure, '
'class-action lawsuit, media scrutiny)',
'data_compromised': ['First and last names',
'Social Security numbers',
'Diagnosis and treatment information',
'Addresses',
'Driver’s license numbers',
'Email addresses',
'Phone numbers',
'Patient identification numbers'],
'identity_theft_risk': 'High (PII and sensitive medical data '
'exposed)',
'legal_liabilities': 'Class-action lawsuit filed (April 25, 2023) '
'for alleged negligence and violation of '
'state/federal laws',
'operational_impact': 'Computer network disruption (Jan. 20–25, '
'2023)'},
'initial_access_broker': {'high_value_targets': 'Patient records (PII/PHI)'},
'investigation_status': 'Ongoing (as of October 2023, per delayed '
'notification)',
'post_incident_analysis': {'root_causes': 'Alleged negligence and inadequate '
'cybersecurity measures (per '
'lawsuit)'},
'ransomware': {'data_exfiltration': 'Yes (data breach confirmed)'},
'references': [{'source': 'Cascadia Daily News'},
{'source': 'Washington State Office of the Attorney General '
'(data breach report)'},
{'source': 'Class-action lawsuit filing (Whatcom County '
'Superior Court)'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit filed (April '
'25, 2023) in Whatcom County '
'Superior Court',
'regulations_violated': ['Washington State data '
'breach notification law '
'(delayed disclosure)',
'Potential HIPAA '
'violations (unauthorized '
'access to PHI)'],
'regulatory_notifications': 'Washington State '
'Office of the Attorney '
'General (notified in '
'July 2023, ~7 months '
'after breach)'},
'response': {'communication_strategy': 'Delayed patient notification (letters '
'sent Oct. 31, 2023), incident '
'response line (Mon–Fri, 9 AM–9 PM ET)',
'incident_response_plan_activated': 'Yes (worked with FBI and '
'third-party forensic '
'specialists)',
'law_enforcement_notified': 'Yes (FBI involved)',
'recovery_measures': 'Review of impacted data and patient '
'notification process',
'third_party_assistance': ['FBI',
'Third-party forensic specialists']},
'stakeholder_advisories': 'Patient notification letters (dated Oct. 31, 2023)',
'title': 'Data Breach at Mt. Baker Imaging and Northwest Radiologists',
'type': ['Data Breach', 'Unauthorized Access']}