Cyber Incident Victim: Sound Generations

Sound Generations, a Seattle-based nonprofit providing healthcare resources to older adults and adults with disabilities, experienced two separate ransomware attacks in 2021. The first breach occurred on July 18, 2021, when unauthorized individuals accessed internal systems and encrypted files using ransomware. A second intrusion followed on September 18, 2021, employing identical encryption tactics. The organization promptly terminated both unauthorized accesses upon detection and engaged a third-party forensics firm to investigate the incidents. Forensic analysis confirmed the ransomware events but could not determine whether attackers viewed or exfiltrated protected health information during either intrusion. Sound Generations maintained operations as Washington state's largest aging services provider throughout both security events.

An internal review revealed that systems compromised in the attacks contained protected health information for 103,576 individuals. Exposed data included names, addresses, phone numbers, email addresses, dates of birth, and health insurance status details. Participants in the EnhanceFitness program faced additional exposure risks involving health insurance numbers, while broader health histories and medical conditions were potentially compromised if previously shared with the organization. Although no evidence of fraudulent information misuse emerged, Sound Generations notified affected individuals about potential risks and advised vigilance regarding account activity and insurance statements. The nonprofit implemented significant cybersecurity control enhancements following the dual incidents to strengthen system protections against future attacks.