Cyber Incident Victim: Peoples Injury Network Northwest

On or around April 22, 2019, Peoples Injury Network Northwest (PINN), a Washington-based entity, experienced a ransomware attack that infected three of its servers. The incident prompted an investigation to determine whether patient data had been accessed or exfiltrated. Investigators were unable to conclusively rule out unauthorized access or data theft due to the nature of the ransomware attack. As a result, PINN determined that the personal information of 12,502 Washington residents was potentially compromised. The data at risk included patients’ names, addresses, dates of birth, driver’s license numbers, and diagnosis information. Notification letters were subsequently issued to affected individuals, though the exact timeline of notification relative to the April attack date was not specified in available sources. PINN partnered with ID Experts to provide assistance to impacted patients, including credit monitoring and identity restoration services, as detailed in their notification template.

The incident’s primary impact stemmed from the exposure of sensitive health and identification data, creating potential risks of identity theft or medical fraud for affected individuals. PINN’s public disclosure occurred via a breach notification published in September 2019, nearly five months after the ransomware infection. The entity’s name was initially reported in error as “Personal Injury Network Northwest” in early media coverage but was corrected to “Peoples Injury Network Northwest” on September 25, 2019. No further technical details regarding the ransomware variant, attack vector, or system containment measures were disclosed in the available source material. The investigation’s inability to confirm data non-accessibility led to the precautionary notifications despite the absence of definitive evidence confirming data exfiltration.