Mt. Baker Imaging Data Breach Exposes 348,000 Patient Records Across Washington
Aug 6, 2025
Overview
A significant data breach affecting Mt. Baker Imaging (MBI) and Northwest Radiologists has compromised the personal and medical information of over 348,000 Washington residents. The breach, which occurred in late January 2025, was initially described as a “computer network disruption” and only later acknowledged as a cyberattack. Sensitive data including Social Security numbers, driver’s license details, and medical records were accessed. The delayed public disclosure has drawn criticism and led to a class-action lawsuit.
What Happened?
Between January 20 and January 25, 2025, threat actors gained unauthorized access to systems connected to Mt. Baker Imaging and Northwest Radiologists — two entities operating six outpatient medical imaging centers across Whatcom County, Washington.
While MBI referred to the event as a “disruption” for nearly two months, it eventually confirmed the incident as a cybersecurity breach in a March 26 blog post. The Washington State Attorney General’s Office was notified only in July, well beyond the state’s 30-day data breach notification requirement.
What Information Was Exposed?
The attackers were able to access and exfiltrate a wide array of sensitive information, including:
Full names
Residential addresses
Social Security numbers
Driver’s license and government ID details
Military ID numbers
Medical treatment history and insurance records
Bank account and routing numbers
As of the August 2025 update, there is no confirmation that the data has been misused, but forensic investigations are ongoing.
Legal & Regulatory Consequences
On April 25, 2025, a class-action lawsuit was filed against Mt. Baker Imaging, alleging:
Failure to implement adequate cybersecurity protections
Delayed and insufficient disclosure of the breach
Violation of Washington's data privacy laws
Emotional and financial damages to affected individuals
Plaintiffs claim they were left vulnerable due to MBI’s failure to notify them promptly, which may have impeded efforts to protect their identities.
Timeline of Events
Date | Event |
|---|---|
Jan 20–25, 2025 | Cyberattack occurs on MBI & NW Radiologists systems |
Feb–Mar 2025 | Incident described publicly only as “network disruption” |
Mar 26, 2025 | MBI publishes blog post confirming cyberattack |
Apr 25, 2025 | Class-action lawsuit filed against MBI |
July 2025 | AG’s Office formally notified of the breach |
Aug 4, 2025 | Public reporting confirms scale of breach: 348,000 affected |
Response & Mitigation
In the aftermath of the breach, Mt. Baker Imaging took the following steps:
Engaged forensic cybersecurity experts to investigate the attack
Notified the FBI and local law enforcement
Contracted IDX, a third-party identity protection service, to provide support to affected individuals
Set up a dedicated support line for patients
However, critics argue that these measures came too late and that the organization failed to meet transparency and response standards expected of medical institutions.
Lessons for Healthcare Providers
This breach is a stark reminder that healthcare systems remain a top target for cybercriminals due to the rich data they hold. It also underscores key takeaways:
Delayed disclosure = reputational damage
Organizations must adhere to strict reporting timelines mandated by state and federal law.Terminology matters
Euphemisms like “disruption” can erode public trust. Clarity is critical.Medical data is high-value
Attackers are increasingly interested in combining SSNs, financial data, and health info for complex fraud.Preparedness can reduce impact
Regular security audits, employee training, and tested incident response plans can significantly reduce breach fallout.
Final Thoughts
With over 348,000 individuals affected, this is one of the most significant health data breaches in Washington’s recent history. The incident reinforces the urgent need for proactive cybersecurity in healthcare — and for companies to treat breach communication not just as a legal formality but as a core element of public trust.
Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.
