1. Home
  2. States
  3. Washington

Washington

Table of Contents

A data breach occurs when unauthorized individuals gain access to data, jeopardizing the confidentiality, security, or integrity of personal information held by an individual, organization, or entity. Unfortunately, for Washington residents, it's an alarmingly common occurrence. Last year alone, 133 data breaches compromised the information of over 4 million Washingtonians, making it the third-worst year on record.

The reports also attribute the increase in these breaches to ransomware attacks. In 2023, 49 such attacks were reported. This is the second highest since tracking began. These attacks threaten individual privacy and undermine critical services like healthcare and utilities, putting entire communities at risk.

Identity Theft Statistics

Identity Theft
Reports
34TH
State Rank (Reports per 100K Population)
7,110
Identity Theft Reports
Fraud & Other
Reports
11TH
State Rank (Reports per 100K Population)
49,601
Total Fraud & Other Reports
Fraud
Losses
$29.2M
Total Fraud Losses
$300
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
27%
Identity Theft
13%
Telephone and Mobile Services
7%
Online Shopping and Negative Reviews
6%
Banks and Lenders
5%
Prizes, Sweepstakes and Lotteries
4%
Debt Collection
3%
Internet Services
3%
Auto Related
3%
Credit Bureaus, Iformation Furnishers and Report Users
3%

Top Identity Theft Types

31%
4,363
Credit Card Fraud
20%
2,855
Other Identity Theft
20%
2,806
Bank Fraud
9%
1,318
Employment or Tax-Related Fraud
9%
1,253
Loan or Lease Fraud
6%
902
Phone or Utilities Fraud
5%
684
Government Documents or Benefits Fraud

Washington’s Recent Biggest Data Breaches

2024
January

Washington National Insurance Company

On January 26, 2024, Washington National Insurance Company (WNIC) announced a data breach affecting some customers. An unauthorized party accessed sensitive information stored on their servers on November 28, 2023. WNIC confirmed that the exposed data may include names, date of birth, policy, and Social Security numbers. Federman & Sherwood law firm is investigating the data breach at Washington National Insurance Company.

2023
September

Moses Lake Community Health Center (MLCHC)

In late 2023, Moses Lake Community Health Center (MLCHC) experienced a data breach that compromised the personal information of over 1,100 individuals. The incident, discovered on September 14, 2023, involved unauthorized access to two employee email accounts. This access exposed sensitive information like names, Social Security numbers, medical records, and insurance details. MLCHC promptly notified the Attorney General of Washington and launched an investigation. Upon completion, they started sending data breach notification letters to affected individuals, outlining the incident and steps they could take to protect themselves.

2023
August

Western Washington Medical Group (WWMG)

In a recent cyberattack on Western Washington Medical Group (WWMG), the data of over 350,000 patients was compromised. The breach exposed sensitive information such as names, Social Security numbers, medical records, and insurance details from the healthcare provider's systems. The incident came to light on August 26, 2023, and WWMG promptly reported it to the authorities on October 26, 2023. Since then, the company has been actively investigating the breach and began notifying affected individuals on November 6, 2023. While there is no proof of data misuse from the attackers, WWMG is offering free credit monitoring and identity theft protection to affected parties.

2022
January

Washington State Department of Licensing

In January 2022, a data breach hit the Washington State Department of Licensing (DOL), affecting over 650,000 individuals. The breach involved the POLARIS system, which manages professional and occupational licenses in the state. This system handles everything from processing applications to issuing and renewing licenses for various professions. The DOL discovered suspicious activity on its systems on January 24, 2022, and immediately shut down POLARIS to investigate. While the exact types of information compromised vary by individual, the breach exposed sensitive data like licenses, Social Security numbers, and dates of birth.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Any entity entrusted with computerized personal information (PI) not owned by itself must promptly notify the owner or authorized user of any security breach upon discovery if the PI is suspected or confirmed to have been accessed by an unauthorized individual.

The PI encompasses identifiable details, such as an:

  1. Individual's name
  2. Full birth dates
  3. Social Security numbers
  4. Driver's license numbers
  5. Account details
  6. Private electronic keys
  7. Student/military/passport IDs
  8. Health insurance information
  9. Medical history or
  10. Biometric data

Additionally, it includes usernames or email addresses paired with passwords or security questions granting access to online accounts. It also encompasses any combination of these data elements, even without the individual's full name, if it could enable identity theft. However, personal information excludes publicly available information from government records.

Entities must issue the notice through written or electronic means, adhering to the E-Sign Act. If the cost of issuing notice exceeds $250,000, the number of affected subjects surpasses 500,000, or if insufficient contact data is available, businesses may opt for substitute notice methods. These alternative methods may involve email notifications, website postings, and notifications through media channels.

A business that neglects to divulge information may breach the Consumer Protection Act. A consumer affected by such a breach may receive actual damages or, in instances of deliberate violations, punitive damages of up to $1,000, along with costs and reasonable attorney's fees.

Laws

Washington state has two primary data breach notification laws:

  • RCW 19.255.010: This law applies to businesses and individuals.
  • RCW 42.56.590: This law applies to local and state government agencies.

While the specific legal codes differ slightly, both laws require the same thing: notifying Washington residents harmed by a security breach involving their personal information.

This notification must be made no later than thirty days from the time the breach is identified unless law enforcement deems it necessary to delay the notification for a criminal investigation.

The notification methods, whether written, electronic, or substitute, should convey information in plain language and include

  • Contact details
  • Types of affected personal information
  • Exposure time frame
  • Toll-free numbers and addresses of major credit reporting agencies

However, if the breach doesn't seem like it could harm consumers, businesses are not obligated to give notice.

Businesses will also make an additional notification to the attorney general in case the breach affects more than 500 Washington residents. The notification should provide specific information about the incident.

This includes showing how many people in Washington are affected or providing an estimate if the exact number is unknown. It should also list the kinds of personal information that might have been affected and when the breach happened. The business must also indicate what they have done to fix the problem.

The company must also provide a notification sample without disclosing the personal information of the affected individuals. If the sender does not possess certain information at the time of notice, they must inform the attorney general as soon as they obtain it.

Entities that fall under HIPAA regulations and have established notification procedures are considered compliant with the notification requirements outlined in this legislation.

Resources

Table of Contents