A Washington-based radiology provider has disclosed a network breach that exposed patient data over a five-day period in January 2025.
What happened
Mount Baker Imaging/Northwest Radiologists reported a hacking incident to the Washington State Attorney General on July 10, 2025. The breach, which affected 348,118 individuals, stemmed from unauthorized access to its network between January 20 and January 25. The organization described the event as a “network disruption” that impacted several systems.
Going deeper
The compromised data includes a wide range of personally identifiable information and health-related records. Specifically, the breach may have exposed names, contact details, dates of birth, Social Security numbers, driver's license and state ID numbers, email addresses, medical record numbers, diagnosis details, insurance data, and treatment costs.
An investigation into the incident was launched after the disruption was detected on January 25. However, Mount Baker Imaging has not disclosed whether ransomware was involved, and the company has not yet responded to follow-up requests for more information.
As of now, the organization says it has no evidence that the stolen information has been or will be misused.
What was said
In its public statement, Mount Baker Imaging acknowledged the scope of the information potentially accessed and said there is currently no indication of misuse, with Northwest Radiologists adding, “We currently have no reason to believe that your information has been or will be misused.” No confirmation has been given regarding the type of attack, and no timeline for additional updates has been provided. However, the nearly six-month delay between breach discovery and notification leaves a window of potential risk, especially when sensitive data such as Social Security numbers, medical diagnoses, and insurance details could be exploited for long-tail threats like medical fraud or targeted phishing.
FAQs
Why are medical imaging providers frequent targets for cyberattacks?
Imaging centers often store extensive personal and diagnostic data, including scanned images and treatment histories, making them attractive targets for identity theft and insurance fraud.
What should patients do if they think their data was exposed?
Patients should monitor their credit reports, consider placing fraud alerts with major credit bureaus, and contact their healthcare provider for information about identity protection services offered.
What laws require breach reporting in Washington State?
Under Washington law, entities must notify affected individuals and the state attorney general within 30 days if a breach involves personal data of more than 500 residents.
Is all compromised data typically misused right away?
Not always. Some data may be sold on dark web marketplaces months later or used for targeted phishing and fraud, making ongoing vigilance important.
How can healthcare organizations reduce breach risk?
Implementing network segmentation, timely patching, employee security training, and strong access controls are fundamental strategies to reduce exposure to unauthorized access.
Farah Amod
