Medical Imaging Provider Confirms Data Breach Affecting More Than 348,000 Patients
A January data breach at Northwest Radiologists and Mount Baker Imaging has affected more than 348,000 patients. Data breaches have also been reported by Self Regional Healthcare in South Carolina and Health Care & Rehabilitation Services of SE Vermont.
Northwest Radiologists & Mount Baker Imaging
Northwest Radiologists and Mount Baker Imaging have provided an update on a data breach first announced in March 2025. The incident was described as a security incident that caused network disruption, and evidence had been found to indicate data exfiltration. At the time of the initial announcement, it was unclear how many individuals had been affected.
In a recent notification sent to the Washington Attorney General, Northwest Radiologists and Mount Baker Imaging confirmed that the following information was compromised in the incident: first and last names, addresses, telephone numbers, dates of birth, email addresses, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, provider names, medical record numbers or patient identification numbers, health insurance information, and/or treatment cost information.
The same description of the incident is used, with no mention of ransomware. The forensic investigation confirmed that there had been unauthorized network access between January 20, 2025, and January 25, 2025. The delay in issuing notifications was due to the time taken to review the exposed files and obtain up-to-date address information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Northwest Radiologists and Mount Baker Imaging said that, at the time of issuing notification letters, no misuse of the exposed data had been detected and that they have no reason to suspect any of the exposed information will be misused; however, as a precaution, the affected individuals are being offered complimentary credit monitoring and identity theft protection services. There is no data breach listed on the HHS’ Office for Civil Rights breach portal, but there is often a delay in adding data breaches. The Washington Attorney General was informed that the breach affected 348,118 state residents.
Self Regional Healthcare, South Carolina
Self Regional Healthcare, an independent regional referral hospital in Greenwood, South Carolina, has started notifying 26,696 patients that some of their protected health information was compromised in a cyberattack on a business associate in July 2024. The breach occurred at Nationwide Recovery Service, which provides debt collection services. Hackers had access to its network between July 5, 2024, and July 11, 2024, and exfiltrated data. The majority of affected clients were notified about the breach last year; however, Self Regional Healthcare only received a list of the affected individuals from NRS on May 23, 2025.
According to Self Regional Healthcare, “NRS is the successor entity to a vendor that Self Regional Healthcare (“SRH”) used back in 2012 for debt collection services,” and the data compromised in the attack on NRS relates to a period between 2012 and 2013. The compromised data includes names, dates of birth, Social Security numbers, diagnoses, dates of service, provider names, medical information, and/or health insurance information. Self Regional Healthcare has confirmed that the affected patients have been offered complimentary credit monitoring and identity theft protection services and said it no longer does business with NRS.
Health Care & Rehabilitation Services of SE Vermont
Health Care & Rehabilitation Services of SE Vermont (HCRS) has recently notified the Vermont Attorney General about unauthorized access to two employee email accounts. The unauthorized access was detected on December 20, 2025, and the passwords were reset to prevent further unauthorized access. Third-party cybersecurity professionals were engaged to investigate the unauthorized activity and determine the information that was exposed.
Following an extensive investigation and complex manual data review, HCRS learned on May 13, 2025, that the email accounts were subject to unauthorized access between December 4, 2025, and December 9, 2025, and client and staff information may have been viewed or copied. The exposed information included first and last names, dates of birth, Social Security numbers, financial account numbers, driver’s license numbers, dates of service, patient numbers, medical record numbers, billing information, treatment information, medical histories, and health insurance information.
The affected individuals have been advised to remain vigilant against incidents of identity theft and fraud. At present, there is no data breach listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.
