Lessons from the Northwest Radiologists Data Breach Lawsuit

In the quiet coastal town of Bellingham, Washington, a storm is brewing for healthcare providers. On April 25, 2025, two local patients, Daniel Uitdenhowen of Ferndale and Michael Barr of Bellingham, filed a proposed class action lawsuit against Northwest Radiologists and its joint venture, Mount Baker Imaging, in Whatcom County Superior Court. The suit, detailed in a Cascadia Daily News report, alleges that a January 2025 cyberattack exposed sensitive patient information due to “negligence and inadequate” security measures. For healthcare providers, this case is a wake-up call—a stark reminder that cybersecurity is no longer optional but a critical pillar of patient trust and operational survival. 

The Breach: A Treasure Trove of Sensitive Data 

The cyberattack, which disrupted Northwest Radiologists’ systems around January 25, 2025, compromised a range of personal data: names, dates of birth, Social Security numbers, driver’s license numbers, and even diagnostic details. According to the lawsuit, the practice’s “cyber and data security systems were so completely inadequate” that cybercriminals accessed files containing “thousands of patients’ private, highly sensitive information.” It wasn’t a minor glitch but a significant breach that shook the confidence of patients relying on Northwest Radiologists, a 20-radiologist practice serving PeaceHealth hospitals in Bellingham, Friday Harbor, Sedro Woolley, and Ketchikan, Alaska, for over 50 years. 

What makes this case particularly alarming is the plaintiffs’ claim that Northwest Radiologists failed to act transparently. Initially described as a “computer network disruption,” the incident was only later acknowledged as a “data breach.” The lawsuit alleges that the practice violated federal and state laws by delaying formal notifications to affected patients, with no clear communication issued by April 23, 2025. This lack of prompt disclosure, coupled with accusations of inadequate employee training on cybersecurity protocols, paints a troubling picture for providers striving to maintain compliance and trust. 

A Growing Trend: Radiology Under Attack 

Northwest Radiologists are not alone. The radiology sector has become a prime target for cybercriminals, with several high-profile breaches in recent years. Arizona-based SimonMed Imaging, one of the largest outpatient imaging providers in the U.S., faced a ransomware attack in January 2025, attributed to the Medusa cybercrime gang, which led to lawsuits by February. Similarly, Florida’s Akumin, a major imaging and oncology provider, was hit in October 2023, with legal action following in December. Smaller practices haven’t been spared either—Pinehurst Radiology Associates in North Carolina temporarily closed after a January 2025 breach, and New York’s East River Medical Imaging settled a class action lawsuit for $1.85 million in October 2024 after a cyberattack. 

Why radiology? The answer lies in the data. Radiology practices handle a goldmine of sensitive information—diagnostic images, patient histories, and billing details—that cybercriminals can exploit for identity theft, fraud, or ransomware. The increasing reliance on electronic health records (EHRs) and interconnected systems, while improving efficiency, has also widened the attack surface. For providers, these incidents underscore the need for robust cybersecurity frameworks to protect both patients and their own financial stability. 

The Fallout: Legal and Reputational Risks 

The lawsuit against Northwest Radiologists highlights two critical risks for providers: legal liability and reputational damage. Uitdenhowen and Barr allege that the practice’s failure to safeguard data and promptly notify patients breached federal regulations like HIPAA and Washington state laws, which mandate timely breach notifications. HIPAA, for instance, requires covered entities to notify affected individuals within 60 days of discovering a breach, a standard the plaintiffs claim Northwest Radiologists missed. Non-compliance can lead to hefty fines from the Department of Health and Human Services’ Office for Civil Rights, with penalties ranging from $100 to $50,000 per violation, capped at $1.5 million annually. 

Beyond fines, the reputational toll is steep. Patients expect their healthcare providers to protect their data as diligently as they protect their health. The lawsuit’s accusation of “obfuscation” suggests a breakdown in trust, which can drive patients to competitors. For a practice like Northwest Radiologists, which operates six outpatient imaging centers under Mount Baker Imaging in partnership with PeaceHealth and is part of the Strategic Radiology coalition, maintaining a stellar reputation is vital to retaining referrals and community goodwill. 

Lessons for Providers: Fortifying Your Defenses 

This case offers valuable lessons for healthcare providers, particularly those in radiology, to mitigate the risks of cyberattacks. Here are five actionable strategies to strengthen your practice’s cybersecurity posture: 

1. Invest in Robust Security Systems: The lawsuit’s claim of “completely inadequate” systems underscores the need for state-of-the-art cybersecurity. Implement firewalls, encryption, and endpoint detection tools to safeguard EHRs and imaging systems. Regular penetration testing can identify vulnerabilities before hackers do. For example, SimonMed Imaging, post-breach, enhanced multifactor authentication, and limited third-party vendor access to bolster security. 

2. Train Staff Relentlessly: The plaintiffs’ allegation of inadequate employee training is a red flag. Conduct regular cybersecurity training to teach staff how to recognize phishing attempts, secure passwords, and respond to incidents. A 2024 survey by the American Medical Association found that 93% of healthcare data breaches involved phishing, making staff education a frontline defense. 

3. Develop a Clear Incident Response Plan: Northwest Radiologists’ delayed and vague communication exacerbated patient frustration. Create a comprehensive incident response plan that outlines steps for identifying, containing, and reporting breaches. Ensure compliance with HIPAA’s 60-day notification rule and state laws, and communicate transparently with patients to maintain trust. 

4. Engage Forensic Experts Early: Northwest Radiologists hired a forensic specialist in March 2025, but earlier engagement could have clarified the breach’s scope sooner. Partner with cybersecurity firms to conduct immediate investigations post-incident, helping to assess damage and prevent further leaks. This proactive step can also strengthen your legal position by demonstrating due diligence. 

5. Secure Cyber Insurance: With cyberattacks on the rise, cyber insurance is a must. Policies can cover legal fees, notification costs, and settlements, mitigating financial strain. Ensure your policy includes coverage for ransomware, as seen in the SimonMed case, where Medusa’s attack highlighted the growing threat of data encryption. 

The Bigger Picture 

The Northwest Radiologists lawsuit is a microcosm of a broader challenge facing healthcare. The U.S. Department of Health and Human Services reported a 256% increase in healthcare data breaches from 2015 to 2022, with radiology practices increasingly in the crosshairs. The financial stakes are high—Akumin’s 2023 breach disrupted operations across 200 facilities, and East River’s $1.85 million settlement shows the cost of legal fallout. Yet, the human cost is even greater. Patients whose data is exposed face risks of identity theft and emotional distress, eroding the trust that underpins healthcare. 

For providers, the path forward requires a cultural shift. Cybersecurity must be as integral to your practice as clinical excellence. Collaborate with IT experts, stay updated on evolving threats, and prioritize patient communication. Joining coalitions like Strategic Radiology, as Northwest Radiologists did, can provide access to shared resources and best practices for cybersecurity. 

As the Northwest Radiologists case unfolds, it serves as a cautionary tale and a catalyst for change. The lawsuit, still in its early stages, may lead to settlements or stricter regulations, but its impact is already clear: providers must act now to protect their data and their patients. By investing in technology, training, and transparency, you can not only avoid the pitfalls that led to this lawsuit but also position your practice as a trusted leader in an increasingly digital healthcare landscape. 

For radiologists and other providers, the message is simple: don’t wait for a breach to expose your vulnerabilities. Take proactive steps today to fortify your defenses, because in healthcare, safeguarding data is as critical as saving lives. 

Sources: Cascadia Daily News, April 29, 2025; Radiology Business, May 2, 2025; ClassAction.org, April 18, 2025; U.S. Department of Health and Human Services, HIPAA Breach Notification Rule.