Active breach tracker Bellingham, Washington Disclosed October 28, 2025

Northwest Radiologists / Mount Baker Imaging Data Breach 2025: 362,713 Affected After January Ransomware Attack at Bellingham Radiology Group. $3.3M Settlement — Claims Due August 19, 2026. What To Do

Northwest Radiologists and Mount Baker Imaging suffered a January 2025 ransomware attack exposing 362,713 patients' SSNs, driver's licenses, banking data, and clinical records. A $3.3M class-action settlement was preliminarily approved April 21, 2026 — claim deadline is August 19, 2026. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 20, 2025

Unauthorized actor begins accessing Northwest Radiologists / MBI network

Jan 25, 2025

Network disruption identified; attacker access window closes

Mar 26, 2025

Entity posts initial 'data security incident' notice on mtbakerimaging.com

Apr 25, 2025

Uitdenhowen and Barr file proposed class action in Whatcom County Superior Court

May 1, 2025

Court consolidates four parallel class actions into a single proceeding

Jun 1, 2025

Plaintiffs file consolidated complaint (negligence, breach of implied contract, Washington CPA)

Jul 10, 2025

Northwest Radiologists / MBI reports 348,118 Washingtonians to the WA Attorney General

Oct 28, 2025

HHS OCR breach report submitted: 362,713 individuals, Hacking/IT Incident at Network Server

Oct 31, 2025

Individual notification letters mailed to affected patients (~10 months post-incident)

Apr 21, 2026

Judge Evan Jones grants preliminary settlement approval (In re: Mt. Baker Imaging, LLC, Data Security Litigation, Case No. 25-2-00463-37); settlement website MtBakerDataSettlement.com goes live

Jul 20, 2026

Opt-out and objection deadline for class members

Aug 19, 2026

Claim submission deadline — online or postmarked (MtBakerDataSettlement.com)

Aug 21, 2026

Final settlement approval hearing, Whatcom County Superior Court, 1:30 p.m. PT

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license / Washington state ID number

02

Health records

Don't expire and can't be reissued

Patient ID / medical record number Diagnosis and treatment information Provider name and treatment cost information

03

Contact & insurance

Phishing + targeted scams

Full name Address Phone number Email address Military ID number Financial account / banking information Health insurance policy and ID numbers

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC Emery Reddy, PLLC Almeida Law Group Wright, Constable & Skeen (per published commentary)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Northwest Radiologists, Inc. and Mount Baker Imaging, the Bellingham-based radiology practice and its joint-venture outpatient imaging arm, filed a HIPAA breach notification with the HHS Office for Civil Rights on October 28, 2025, reporting 362,713 affected individuals in a Hacking/IT Incident at a Network Server. Forensic investigators and court settlement documents confirm this was a ransomware attack: an unauthorized actor accessed and exfiltrated files from the network between January 20 and January 25, 2025, with the network disruption identified on January 25. No specific ransomware group has publicly claimed responsibility. The exposed file set included Social Security numbers, driver’s license and state ID numbers, banking information, military ID numbers, dates of birth, health insurance details, and clinical information including diagnosis, treatment, and provider data. Individual notice letters did not arrive until October 31, 2025, roughly ten months after the intrusion. A $3.3 million class-action settlement received preliminary approval on April 21, 2026 — the claim deadline is August 19, 2026.

Timeline

  • January 20-25, 2025 — Unauthorized actor accesses Northwest Radiologists / Mount Baker Imaging network; entity identifies a “computer network disruption” on January 25.
  • March 26, 2025 — Entity posts an initial data-security-incident notice on the Mount Baker Imaging website; no individual letters are sent at this stage.
  • April 25, 2025 — Daniel Uitdenhowen (Ferndale) and Michael Barr (Bellingham) file a proposed class action in Whatcom County Superior Court alleging negligence and inadequate security.
  • May 2025 — Court consolidates four parallel class actions into a single proceeding.
  • June 2025 — Plaintiffs file a consolidated complaint citing negligence, breach of implied contract, and violations of the Washington Consumer Protection Act.
  • July 10, 2025 — Entity files notice with the Washington Attorney General reporting 348,118 affected Washington residents.
  • October 28, 2025 — HHS OCR breach report submitted: 362,713 individuals, Hacking/IT Incident at Network Server (the final, higher count once non-Washington patients are included).
  • October 31, 2025 — Notification letters mailed; President Stephen Buetow writes that the entity has “no reason to believe” data will be misused. Buetow declines to publicly explain the seven-month gap between discovery and AG notice, which Washington law requires within 30 days.
  • April 21, 2026 — Judge Evan Jones of Whatcom County Superior Court grants preliminary approval of the $3.3 million settlement (In re: Mt. Baker Imaging, LLC, Data Security Litigation, Case No. 25-2-00463-37). Settlement administrator EAG Gulf Coast, LLC launches MtBakerDataSettlement.com.
  • July 20, 2026 — Deadline to opt out of or object to the settlement.
  • August 19, 2026 — Claim submission deadline (online at MtBakerDataSettlement.com or postmarked).
  • August 21, 2026 — Final settlement approval hearing, 1:30 p.m. PT, Whatcom County Superior Court.

What was exposed

Per the Washington AG filing and the entity’s substitute notice, the compromised file set included:

  • Identity data: full name, address, phone, email, date of birth.
  • Government identifiers: Social Security number, driver’s license / Washington state ID number, military ID number.
  • Financial data: banking and financial account information.
  • Clinical and insurance data: health insurance policy and ID numbers, patient ID / medical record number, diagnosis, treatment, provider name, and treatment cost information.

The combination of SSN plus driver’s license plus financial account information puts most patients in the high-risk tier for synthetic identity fraud and account-takeover attempts, not just medical-identity misuse.

What the entity is offering

Northwest Radiologists / Mount Baker Imaging is providing complimentary credit-monitoring and identity-protection services to notified individuals and has set up a dedicated call center at 1-855-291-2706. The settlement adds two years of Medical Shield Complete medical identity-theft protection through CyEx for all class members who submit a valid claim. Written inquiries go to Northwest Radiologists / Mount Baker Imaging, 2930 Squalicum Parkway, Suite 101, Bellingham, WA 98225.

Class-action posture

The $3,300,000 non-reversionary settlement fund — preliminarily approved by Judge Evan Jones on April 21, 2026 — covers approximately 340,184 class members (U.S. residents whose private information was potentially or actually compromised in the January 2025 incident). The fund includes:

  • Reimbursement of documented out-of-pocket losses up to $5,000 per class member (receipts, fraud charges, credit-monitoring costs, bank fees, notary charges, postage).
  • Two years of Medical Shield Complete identity-theft protection through CyEx.
  • Pro-rata cash payments from remaining fund balance after administration costs and attorney fees.
  • Attorney fees not to exceed $1,100,000; service awards of $4,000 each for the nine named class representatives.

The consolidated complaint alleges negligence, breach of implied contract, and violations of the Washington Consumer Protection Act. The settlement covers four separately filed class actions that were consolidated into a single proceeding. Plaintiff-side firms publicly investigating or active in the litigation include Strauss Borrelli PLLC, Emery Reddy, PLLC, and Almeida Law Group.

Key deadlines:

  • Opt-out or object: postmarked by July 20, 2026
  • Submit a claim: online or postmarked by August 19, 2026 at MtBakerDataSettlement.com
  • Final approval hearing: August 21, 2026, 1:30 p.m. PT, Whatcom County Superior Court

Claim submission options: Claims may be filed online at MtBakerDataSettlement.com or mailed to Mt. Baker Claims Administrator, P.O. Box 1711, Baton Rouge, LA 70821. Approved claimants can receive payment via Venmo, PayPal, Zelle, or paper check.

What to do

  1. Submit a settlement claim by August 19, 2026. File online at MtBakerDataSettlement.com or mail a printed form postmarked by that date to: Mt. Baker Claims Administrator, P.O. Box 1711, Baton Rouge, LA 70821. You need the settlement claim ID from your notice letter. Approved payments can be received via Venmo, PayPal, Zelle, or paper check. Doing nothing forfeits your share of the $3.3 million fund.
  2. Freeze your credit at Equifax, Experian, and TransUnion. With SSNs, driver’s licenses, and banking data in the exposed set, a freeze is the highest-leverage protection against new-account fraud. It is free and reversible.
  3. Enroll in Medical Shield Complete through CyEx when you submit your claim. The two-year monitoring window begins when you activate.
  4. File an IRS Identity Protection PIN request if your SSN was exposed. It is free at IRS.gov and blocks fraudulent tax-return filings in your name.
  5. Review your insurance Explanation of Benefits for treatment you did not receive. Medical-identity misuse from radiology records can take 12-24 months to surface as fraudulent claims.
  6. Monitor your banking accounts. Banking and financial account information was in the exposed file set. Set up transaction alerts and consider replacing compromised account numbers.
  7. Stop the ongoing flow of your radiology and imaging data. HealthConsent files HIPAA restriction requests so the diagnostic, clinical, and insurance records exposed in this breach are not continuously re-shared across imaging networks, health information exchanges, and insurance data platforms.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.