Mt. Spokane Pediatrics Data Breach Affects 29k: SSNs Exposed

Mt. Spokane Pediatrics disclosed a Jan. 1, 2026, data breach that affected approximately 29,410 people in Washington state.

On or about Jan. 1, 2026, an unauthorized third-party actor accessed certain systems in the clinic's network environment and removed files containing personal and protected health information, according to the company's notification to consumers.

Just two days later, on Jan. 3, 2026, the ransomware group known as Lockbit 5.0 claimed responsibility for the attack. The claim was posted on the Tor network, where the group said it had obtained the clinic's data and intended to publish it within 20 days.

A forensic investigation followed. On April 22, 2026, the investigation determined that the files removed from the network on or around Jan. 1, 2026, contained patient information. According to the company's notification, not all types of information were impacted for every individual.

The types of personally identifiable information (PII) exposed included full names, dates of birth and Social Security numbers. The protected health information (PHI) exposed included health insurance information, medical treatment information, medical diagnostic information, medical record numbers or patient numbers, health plan beneficiary numbers and dates of service.

The breach was reported to the Washington Attorney General on April 30, 2026. The clinic began notifying consumers on the same day and posted a notice on its website with details about the incident.

Mt. Spokane Pediatrics' response

The clinic is offering affected individuals a complimentary membership for single bureau credit monitoring, credit report and credit score services at no charge. These services are being provided by Cyberscout, a TransUnion company that specializes in fraud assistance and remediation services.

The credit monitoring services provide alerts when changes occur to a credit file. Those alerts are sent the same day the change takes place with the credit bureau. The clinic is also providing proactive fraud assistance to help with questions or in the event someone becomes a victim of fraud.

According to the notification, enrolling in the monitoring service will not affect credit scores. Affected individuals must enroll using a unique code included in their notification letter. Enrollment requires an internet connection and email account, and the monitoring service may not be available to minors under the age of 18.

The clinic also said it continually evaluates and modifies its practices to enhance the security and privacy of information. It is taking measures to augment its existing cybersecurity practices, according to the website notice.

Affected individuals who have questions can contact the dedicated toll-free response line at 1-833-289-5228. The line is available for 90 days between 8 a.m. and 8 p.m. Eastern time, Monday through Friday, excluding holidays.