Mt. Baker Imaging and Northwest Radiologists agreed to a proposed $3.3 million settlement in a class action lawsuit that alleged thousands of patients’ personal data was stolen due to “negligence and inadequate” security measures.
Mailers notifying patients of the proposed settlement for the January 2025 ransomware attack started showing up in mailboxes this month.
Four separate class-action lawsuits were consolidated in the settlement, which provides up to $5,000 per affected person for “out-of-pocket losses.” These costs can include money lost due to fraud or identity theft, unreimbursed costs of credit monitoring and other clearly documented items connected to the cyber attack.
Patients can also claim a pro rata fund payment, which is essentially the division of the remaining funds after all other expenses are paid, including attorney fees not to exceed $1.1 million and $4,000 per person for the handful of patients named in the cases. Additionally, patients can claim two years of a medical data protection and monitoring service.
The agreement “is intended to fully, finally and forever resolve all claims” and does not admit fault or liability, according to the settlement agreement.
However, patients involved can exclude themselves from the agreement to preserve a right to file a claim outside the settlement. That deadline is July 20. The final hearing for the proposed settlement agreement was set for August 21.
Claims can be submitted here.
Through the attack, hackers accessed records of more than 348,000 Washington residents. These included patients’ first and last names in combination with various other information, such as Social Security numbers, diagnosis, treatment, address, driver’s license number, email address, phone number and/or patient identification number.
Mt. Baker Imaging, which has six locations in Whatcom County, provides a variety of services, including ultrasounds, MRIs, CT scans, X-rays and 3D mammograms. Northwest Radiologists physicians interpret the images.
The company first called the ransomware attack an ongoing “computer network disruption” on Jan. 28, 2025. Cybercriminals first accessed and started stealing sensitive patient data on Jan. 20. The problem wasn’t identified until roughly five days later.
Nearly two months after the January attack, the outpatient diagnostic imaging company notified readers of its website that a data breach had occurred.
Isaac Stone Simonelli is CDN’s enterprise/investigations reporter; reach him at isaacsimonelli@cascadiadaily.com; 360-922-3090 ext. 127. For confidential tips, email isimonelli@proton.me.
