Northwest Radiologists Data Breach Exposes 362,713 Patient Records

A massive healthcare data breach at Northwest Radiologists, Inc. and Mount Baker Imaging has compromised the protected health information (PHI) of 362,713 individuals, making it one of Washington state's largest healthcare cybersecurity incidents in recent years. The breach, reported to the Department of Health and Human Services (HHS) on October 28, 2025, involved unauthorized access to the organization's network servers.

What Happened

Northwest Radiologists, Inc., operating Mount Baker Imaging facilities, fell victim to a significant hacking incident that compromised their network servers. While specific details about the attack methodology remain limited, the breach has been classified as a "Hacking/IT Incident" by HHS, indicating that cybercriminals gained unauthorized access to the organization's digital infrastructure.

The healthcare provider discovered the security incident and promptly reported it to federal authorities, as required under the HIPAA Breach Notification Rule. However, the organization has not yet released additional details about the nature of the attack, the specific systems affected, or the timeline of the incident.

This type of network server breach typically involves sophisticated cybercriminals who exploit vulnerabilities in healthcare IT systems to access sensitive patient information. Healthcare organizations are increasingly targeted by ransomware groups and other malicious actors due to the valuable nature of medical data and the critical need for healthcare providers to maintain operational continuity.

Who Is Affected

The breach impacts 362,713 individuals who received services from Northwest Radiologists, Inc. and Mount Baker Imaging. This makes it one of the largest healthcare data breaches reported in Washington state, affecting patients who trusted the organization with their sensitive medical information.

Northwest Radiologists provides diagnostic imaging services across multiple locations in Washington state, serving a large patient population with various radiological procedures including X-rays, MRIs, CT scans, and other diagnostic imaging services. The affected individuals likely include patients who received services over multiple years, given the substantial number of records involved.

Patients who have received services from Northwest Radiologists or Mount Baker Imaging facilities should assume their information may have been compromised and take appropriate protective measures. The organization is required by law to notify affected individuals directly within 60 days of discovering the breach.

Breach Details

The attack specifically targeted Northwest Radiologists' network servers, which likely contained extensive patient databases with sensitive medical information. While the exact types of data accessed remain unspecified, typical radiological practices maintain comprehensive patient records that may include:

• Patient names, addresses, and contact information
• Social Security numbers
• Date of birth and demographic details
• Medical record numbers and account information
• Insurance information and billing details
• Diagnostic imaging results and reports
• Physician notes and treatment histories
• Appointment scheduling information

The breach's classification as a hacking incident suggests that external cybercriminals were responsible, rather than an insider threat or accidental disclosure. Network server breaches often involve advanced persistent threats (APTs) or ransomware attacks, where criminals maintain access to systems for extended periods to maximize data extraction.

The October 2025 reporting date indicates that the organization recently discovered or concluded their investigation into the incident. HIPAA requires covered entities to report breaches affecting 500 or more individuals within 60 days of discovery, suggesting the breach was identified sometime in late August or September 2025.

What This Means for Patients

For the 362,713 affected individuals, this breach represents a serious compromise of their protected health information and privacy rights under HIPAA. The exposed data could potentially be used for identity theft, medical identity fraud, insurance fraud, or sold on dark web marketplaces.

Patients should be particularly concerned about medical identity theft, where criminals use stolen health information to obtain medical services, prescription drugs, or file fraudulent insurance claims. This type of fraud can be especially damaging because it may result in incorrect information being added to victims' medical records, potentially affecting future healthcare decisions.

The large scale of this breach also increases the likelihood that the stolen data will be widely distributed or sold, potentially exposing affected individuals to long-term risks. Unlike credit card numbers that can be quickly replaced, medical information and Social Security numbers cannot be changed, making the consequences of this breach potentially long-lasting.

Affected patients should expect to receive official breach notification letters from Northwest Radiologists providing specific details about what information was compromised and what steps the organization is taking in response. Many healthcare organizations also provide free credit monitoring services to affected individuals following major breaches.

How to Protect Yourself

If you are a patient of Northwest Radiologists or Mount Baker Imaging, take these immediate protective steps:

Monitor Your Accounts:

• Review all medical bills and insurance statements for unfamiliar charges
• Check your credit reports regularly for new accounts or inquiries
• Monitor bank and credit card statements for suspicious activity
• Set up fraud alerts with major credit bureaus

Secure Your Information:

• Consider placing a security freeze on your credit reports
• Update passwords for healthcare portals and insurance accounts
• Enable two-factor authentication where available
• Keep detailed records of all communications about the breach

Stay Vigilant:

• Be cautious of phishing emails or calls requesting personal information
• Verify the identity of anyone claiming to be from Northwest Radiologists
• Report suspicious activity to authorities immediately
• Consider identity theft protection services if not provided by the organization

Know Your Rights:

• You have the right to file a complaint with HHS if you believe your HIPAA rights were violated
• You may be entitled to compensation if you suffer financial losses due to the breach
• Contact an attorney specializing in data breach cases if you experience identity theft

Prevention Lessons for Healthcare Providers

This massive breach at Northwest Radiologists highlights critical cybersecurity challenges facing healthcare organizations. The incident demonstrates the need for comprehensive security measures to protect patient data:

Network Security: Healthcare providers must implement robust network segmentation, intrusion detection systems, and continuous monitoring to identify and respond to threats quickly. Regular security assessments and penetration testing can help identify vulnerabilities before criminals exploit them.

Employee Training: Human error remains a significant factor in many breaches. Organizations must provide regular cybersecurity training, phishing simulations, and clear protocols for reporting suspicious activity.

Incident Response: Having a well-tested incident response plan is crucial for minimizing damage when breaches occur. This includes procedures for containment, investigation, notification, and recovery.

Third-Party Risk Management: Healthcare organizations must carefully vet and monitor all vendors and business associates who have access to PHI, ensuring they meet appropriate security standards.

The Northwest Radiologists breach serves as a stark reminder that no healthcare organization is immune to cyber attacks. As healthcare continues to digitize, the stakes for cybersecurity continue to rise, making robust protection measures essential for preserving patient trust and regulatory compliance.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.