Cyber Incident Victim: MultiCare Health System

On October 11, 2022, Tacoma, Washington-based MultiCare Health System disclosed that personal information belonging to current and former employees was compromised in a ransomware attack targeting Kaye-Smith, a third-party vendor responsible for printing W-2 and 1099 tax forms. The health system stated it was notified by Kaye-Smith on September 30, 2022, that employee names, addresses, and Social Security numbers had been stolen during the cybersecurity incident. Kaye-Smith had initially confirmed the ransomware attack in early June 2022 and implemented measures to resecure its systems while monitoring for potential data exposure. MultiCare emphasized that the breach originated entirely within the vendor's infrastructure, with no penetration of MultiCare's own networks or systems. The compromised data was limited to information processed through Kaye-Smith's printing services, though MultiCare did not specify the exact number of affected individuals beyond referencing "a number" of employees.

Kaye-Smith maintained throughout the investigation that no evidence suggested the stolen employee data had been publicly released or misused following the attack. As part of the response, the vendor coordinated with MultiCare to implement notification procedures for impacted individuals, with direct communications scheduled to begin the week of October 11, 2022. Affected employees were offered two years of complimentary credit monitoring services as a protective measure against potential identity theft. MultiCare's public disclosure aligned with Kaye-Smith's notification timeline while emphasizing the containment of the incident to the vendor's systems. The health system did not report any operational disruptions to patient care services or internal administrative functions resulting from the vendor breach.