On January 20, 2025 Mt. Baker Imaging and Northwest Radiologists in Washington State (collectively, “Northwest Radiologists”) experienced a network intrusion that they discovered on January 25. Although media reported on the incident on January 27, it was not until March 26 that Northwest Radiologists posted a notice on its website (archived). DataBreaches could find no report on HHS’s public breach tool indicating that Northwest Radiologists has ever reported the incident to them (unless HHS decided not to post it yet).
On July 10, Northwest Radiologists notified Washington State that 348,118 Washington residents were affected by the incident.
A copy of their notification letter to patients referred to the incident as a “network disruption.” Was this a ransomware attack or a hack with an extortion demand, or neither? They don’t say, but no ransomware or extortion gang has claimed responsibility for the incident, and Northwest Radiologists claims, “Please note that we currently have no reason to believe that your information has been or will be misused as a result of this event.”
What Information Was Involved: The types of information that may have been contained within the affected data may include your first and last name, in combination one or more of the following: address information, telephone number, date of birth, email address, Social Security number, driver’s license or state identification card number, treatment or diagnosis information, provider name, medical record number or patient identification number, health insurance information, and/or treatment cost information.
The July letter indicates that those affected are being offered complimentary credit monitoring and identity protection services.
If almost 350,000 Washington residents were affected, how many others outside of the state were also affected? And was this a ransomware attack or an attack with an extortion demand, and if so, did Northwest Radiologists pay? It is now six months since the attack. One would expect data to be leaked already if there was an unpaid demand.
DataBreaches attempted to find email addresses to reach Northwest Radiologists with requests for greater clarity about the incident and their response. The majority of emails bounced back. Others went unanswered.
If DataBreaches obtains more information about the January incident, this post will be updated.
An Earlier, Smaller Breach?
But in the process of seeking contact information, DataBreaches discovered that Northwest Radiologists had another HIPAA breach four years ago when it responded to a patient’s online review.
The review had been posted with the patient’s first and last name. The patient, whose name DataBreaches is not reporting, had amended a bad online review to report an acceptable outcome. But then Northwest Radiologists responded to the patient by name and writing:
Hello, [name]. Mt Baker Imaging and Northwest Radiologists are happy to be able to offer interest free payment plans to any patient of ours that has a balance greater than $75. In reviewing your account, it looks like you would have qualified for this option. It appears that we never heard from you or received payment after mailing statements to the address we have on file for you and this is unfortunately the reason your account is currently in a default status with our collection agency.
Please reach out to our local office at (360) 788-9004 if you’re interested in establishing set payment arrangements and we will work with you to resolve your balance. Thank you!
Once again, for the kids in the back row who slept through the first presentation: even if a patient reveals their own PHI, the provider cnanot publicly reveal PHI to respond to an online review. Their response was tied to a patient’s first and last name and revealed that their account was in collection.