Lake Washington Vascular 2025 Data Breach: 21,534 Patients Affected by Qilin Ransomware Attack
Lake Washington Vascular Surgeons, a Bellevue, Washington vascular surgery practice, confirmed a February 14, 2025 ransomware incident attributed to the Qilin group. The intrusion exposed personal and protected health information for 21,534 patients. The practice filed with HHS Office for Civil Rights on February 25, 2025 and mailed individual notification letters on March 14, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 14, 2025
Qilin ransomware actor gains unauthorized access to Lake Washington Vascular's network; incident detected the same day
Feb 14, 2025
Suspicious activity identified; containment and forensic investigation begin
Feb 25, 2025
Breach reported to HHS Office for Civil Rights affecting 21,534 individuals
Mar 14, 2025
Individual notification letters mailed to affected patients
Mar 14, 2025
Disclosed publicly
Feb 14, 2025
Qilin ransomware actor gains unauthorized access to Lake Washington Vascular's network; incident detected the same day
Feb 14, 2025
Suspicious activity identified; containment and forensic investigation begin
Feb 25, 2025
Breach reported to HHS Office for Civil Rights affecting 21,534 individuals
Mar 14, 2025
Individual notification letters mailed to affected patients
Mar 14, 2025
Disclosed publicly
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Lake Washington Vascular Surgeons, a specialty vascular surgery practice based in Bellevue, Washington, confirmed a ransomware attack on February 14, 2025 attributed to the Qilin ransomware-as-a-service group. The practice detected the intrusion the same day it began, engaged third-party forensic investigators, and reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights on February 25, 2025. Individual notification letters were mailed on March 14, 2025 to 21,534 affected patients.
Qilin, a Russian-speaking ransomware-as-a-service operation active since 2022, listed Lake Washington Vascular on its dark-web leak site as part of its data-extortion playbook. The federal OCR portal entry remains open.
Timeline
- February 14, 2025 — Qilin ransomware actor gains unauthorized access to Lake Washington Vascular’s network. The intrusion is detected the same day and forensic investigation begins.
- February 25, 2025 — Breach reported to HHS Office for Civil Rights affecting 21,534 individuals.
- March 14, 2025 — Individual notification letters mailed to affected patients.
What was exposed
The data elements confirmed exposed vary by individual but include:
- Name, contact information, and date of birth
- Social Security number
- Driver’s license or state-issued ID number
- Medical record number and patient ID number
- Health insurance information
- Diagnosis and treatment information related to vascular care
Because Qilin operates a double-extortion model, exfiltrated data is typically published on the group’s leak site when ransom demands are not met.
What the entity is offering
Lake Washington Vascular’s notification to affected patients includes complimentary credit-monitoring and identity-protection services. Enrollment instructions and an activation code are provided in the individual notification letter.
Class-action and regulatory posture
No class-action complaint has been publicly docketed against Lake Washington Vascular Surgeons in connection with this incident as of this writing. The HHS OCR portal entry remains open pending federal investigation.
What to do if you may be affected
- Enroll in the offered credit-monitoring service using the activation code in your notification letter. The enrollment code is single-use and tied to your notice.
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers and driver’s license data were exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible.
- Watch for medical identity theft. Because diagnosis, insurance, and treatment data tied to vascular care was exposed, review every Explanation of Benefits and request a copy of your medical record from your insurer if you see services you did not receive.
- Be alert to targeted phishing. Threat actors with name, address, date of birth, and treatment context can craft highly convincing follow-on lures referencing your care at Lake Washington Vascular. Treat unexpected calls or emails referencing the practice with skepticism, and do not click links in unsolicited messages.
- Monitor for leak-site posting. Qilin publishes exfiltrated data on its dark-web leak site when victims do not pay. Identity-protection services that include dark-web monitoring can flag exposed personal information.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (filing dated 2025-02-25, 21,534 individuals).
- HIPAA Journal — Qilin Ransomware Group Adds Lake Washington Vascular Surgeons to Leak Site — attribution to Qilin, incident timeline, exposed data.
- Lake Washington Vascular Surgeons — Patient Notice — entity’s own notification page.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Qilin Ransomware Group Adds Lake Washington Vascular Surgeons to Leak Site
- Lake Washington Vascular Surgeons — Patient Notice
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.