In early 2025, Northwest Radiologists, a medical imaging provider serving communities across Washington state, reported a significant data breach that may have exposed sensitive personal and medical information of thousands of patients. This incident is a wake-up call about the importance of data privacy and the evolving legal landscape in Washington.
What Happened?
While full details are still emerging, initial reports indicate that the breach was caused by a targeted cyberattack exploiting vulnerabilities in the organization’s network infrastructure. Threat actors gained unauthorized access to systems containing personally identifiable information (PII), including:
- Names
- Dates of birth
- Medical imaging records
- Insurance details
- Possibly Social Security numbers
The breach appears to have been part of a broader campaign involving ransomware tactics, similar to those used by the Playcrypt ransomware group, which has targeted hundreds of entities across North America.
Scope of the Breach
The incident affected patients who received services at multiple Northwest Radiologists locations. Northwest Radiologists serve the regions of Whatcom County, Friday Harbor, Sedro Woolley, and Ketchikan, Alaska. They are partnered with PeaceHealth and have an outpatient imaging service through Mt Baker Imaging. While the exact number of impacted individuals has not been disclosed, the breach has prompted investigations by state regulators and federal cybersecurity agencies.
If you’ve had imaging services performed at any Northwest Radiologists facility in the past few years, it’s advisable to monitor your credit reports, insurance statements, and medical records for suspicious activity.
Washington’s New Privacy Laws: What They Mean for You
In response to growing concerns over data security, Washington state enacted new privacy legislation in 2025 that strengthens protections for residents’ personal data. Key features of the law include:
- Expanded Definition of PII: Includes biometric data, health records, and geolocation.
- Mandatory Breach Notification: Organizations must notify affected individuals within 30 days of discovering a breach.
- Data Minimization Requirements: Businesses must limit the collection and retention of PII to what is strictly necessary.
- Security Safeguards: Companies are required to implement reasonable security measures, including encryption and access controls.
For businesses like Northwest Radiologists, this means they must not only protect data more rigorously but also have a clear incident response plan in place.
How Businesses Can Respond and Prepare
The breach underscores the need for healthcare providers and other organizations handling sensitive data to adopt robust cybersecurity solutions. Here are some recommended tools and practices:
- Endpoint Protection: Solutions like SentinelOne Control offer AI-driven threat detection and response to stop ransomware before it spreads.
- Network Security: WatchGuard firewalls and endpoint security help secure internal systems and prevent unauthorized access.
- SIEM Monitoring: Blumira SIEM provides real-time threat detection and compliance reporting, essential for HIPAA and state law adherence.
- Cloud Backup: Axcient 360 ensures that critical data is backed up securely and can be restored quickly in the event of a breach.
- Managed IT Services: Partnering with a trusted MSP ensures continuous monitoring, patching, and support—critical for small and mid-sized healthcare providers.
What You Can Do as a Patient
If you believe you may be affected:
- Watch for Notifications: Northwest Radiologists is required to notify impacted individuals.
- Monitor Your Accounts: Check for unusual activity in your medical and financial records.
- Consider Identity Theft Protection: Services like credit monitoring can alert you to potential misuse of your data.
- Ask Questions: Contact the provider to understand what data was exposed and what steps they’re taking.
Final Thoughts
This breach is a stark reminder that even trusted healthcare providers are vulnerable to cyber threats. Washington’s new privacy laws are a step forward in protecting residents, but businesses must rise to the challenge by investing in proactive cybersecurity measures.
If you’re a healthcare provider or local business in Washington and want to ensure your systems are secure and compliant, Compass Lane can help. Reach out to learn more about our managed IT services and cybersecurity solutions tailored for small business and the public sector.