Mt. Baker and Northwest Radiologists pay $3.3 million over breach

A five-day ransomware attack on a Washington imaging provider exposed the records of 362,000 patients and generated four separate class action lawsuits before settling for $3.3 million eighteen months later.

What happened

Mt. Baker Imaging and Northwest Radiologists have agreed to a $3,300,000 class action settlement over a ransomware attack that ran from January 20 to January 25, 2025, exposing patient data at the Bellingham, Washington medical imaging provider. According to ClassAction.org, the settlement received preliminary approval from Whatcom County Superior Court on April 21, 2026, and covers approximately 340,184 class members. The HHS Office for Civil Rights breach portal lists 362,713 individuals as affected. Compromised data includes names, contact information, dates of birth, Social Security numbers, driver's license numbers, treatment and diagnosis information, health insurance details, provider names, and medical record numbers. Claims must be submitted by August 19, 2026, and the final approval hearing is scheduled for August 21, 2026.

Going deeper

Mt. Baker Imaging operates six imaging centers in Whatcom County and partners with Northwest Radiologists for image interpretation. The consolidated lawsuit, In re: Mt. Baker Imaging, LLC, Data Security Litigation, drew together four separate class actions and asserted claims for negligence, breach of implied contract, invasion of privacy, unjust enrichment, and violations of Washington's Consumer Protection Act, Data Breach Notification Disclosure Law, Uniform Health Care Information Act, and My Health My Data Act. According to Cascadia Daily News, notification mailers began reaching affected patients in May 2026.

What was said

In its official settlement notice, Mt. Baker Imaging and Northwest Radiologists stated they "deny all allegations in the litigation and do not admit any wrongdoing, fault, or liability," but agreed to resolve the matter to avoid the costs, risks, and uncertainty of continued litigation. The companies confirmed they secured the environment immediately after discovery, engaged law enforcement and external cybersecurity experts, and implemented additional technical safeguards following the incident.

In the know

Washington state's My Health My Data Act, which took effect in 2024, is one of the broadest state-level health data privacy laws in the country, extending protections beyond HIPAA to cover health data held by entities that are not HIPAA-covered entities. Its inclusion as a claim in this lawsuit signals that plaintiffs and their counsel are actively using the state law to supplement HIPAA-based negligence arguments in breach litigation. According to Cascadia Daily News, the Washington AG had received the breach notification confirming 348,118 state residents were affected, one of the largest breach notifications filed with Washington regulators in 2025.

The big picture

The Mt. Baker Imaging settlement follows a pattern now well established across healthcare breach litigation: a ransomware attack on a regional imaging or specialty provider generates multiple class actions within weeks of patient notification, which consolidate and resolve within 12 to 18 months for settlements in the $1 to $5 million range. For imaging providers specifically, the breach risk is amplified by the volume and sensitivity of data flowing through their systems, including diagnostic images, treatment histories, and specialist referral notes that carry greater clinical detail than standard administrative records. According to Paubox's Small Healthcare Practices report, smaller and regional healthcare organizations are among the least likely to have formal incident response plans and the most likely to face extended investigation timelines after an attack, both of which directly affect how quickly patients are notified and how far litigation proceeds before a settlement is reached.

FAQs

What is Washington's My Health My Data Act, and why does it matter in breach litigation?

The My Health My Data Act extends health data privacy protections beyond HIPAA to cover any entity that collects health data from Washington residents, as well as covered entities and business associates. Its inclusion as a claim gives plaintiffs additional legal theories and potential remedies beyond standard HIPAA-based negligence, making it a meaningful addition to the litigation toolkit in Washington state breach cases.

Why did four separate lawsuits get consolidated into one action?

Courts consolidate multiple lawsuits with overlapping claims to avoid duplicative proceedings, reduce costs for all parties, and produce a single binding outcome. Consolidation in Whatcom County Superior Court allowed the four class actions arising from the same breach to be litigated and settled together, with a single settlement fund covering all class members.

What does a two-year medical identity theft monitoring membership cover?

Medical identity theft monitoring scans for unauthorized use of a patient's identity in healthcare settings, such as fraudulent insurance claims or prescriptions filed under the victim's name and policy number. Standard credit monitoring does not cover medical identity theft, making the medical-specific service the more directly relevant protection when health insurance information and treatment records are compromised.

What should affected patients do before the August 19 deadline?

Patients who received a settlement notice should review the claim form at MtBakerDataSettlement.com, gather any documentation of out-of-pocket losses they incurred as a result of the breach, and submit their claim online or by mail before August 19, 2026. Enrolling in the medical identity theft monitoring service does not require documenting losses and is available to all class members regardless of whether they experienced direct harm.