If you got a letter from Mt. Spokane Pediatrics dated around April 30, 2026, your name was on a list of 29,410 patients whose information was taken in a January ransomware attack. For many on that list, the affected patient is a child. The practical steps below matter more than the letter does \u2014 and most of them are free.<\/p>\n
The Mt. Spokane Pediatrics data breach began on or around January 1, 2026, when an unauthorized party broke into the clinic’s network and removed files. The clinic says it caught the intrusion, contained it, and brought in outside forensic investigators. Two days later, a ransomware group operating under the LockBit 5.0 name claimed responsibility.<\/p>\n
The forensic investigation took most of the next four months. On April 22, 2026, investigators confirmed what was in the stolen files. The clinic began mailing notices to affected patients on April 30 and reported the breach to the Washington Attorney General.<\/p>\n
Per the clinic’s notice, the stolen files contained some combination of the following for each affected patient:<\/strong><\/p>\n Not every notified person had every category exposed. Patients whose Social Security numbers were among the stolen data are being offered free credit monitoring through the clinic.<\/p>\n The clinic says it has no evidence of fraud tied to the incident as of the notification date. That’s a snapshot, not a guarantee. Stolen healthcare records often surface on dark-web marketplaces months or years after the breach itself, which is why the practical response matters even if nothing has happened yet.<\/p>\n A child’s Social Security number is, from a thief’s perspective, cleaner than an adult’s. Kids don’t check their credit. Most parents don’t either, on a child’s behalf. A stolen child SSN can sit unused for ten or fifteen years and surface as a fraudulent credit account, an apartment lease, or a tax return that has to be untangled before the child can buy a car or apply for student aid.<\/p>\n That’s the practical reason this breach hits harder than a typical adult-data exposure of the same size. A meaningful share of the 29,410 affected here are minors, and the harm \u2014 if it materializes \u2014 won’t show up for years.<\/p>\n Freeze your child’s credit at all three bureaus. Equifax, Experian, and TransUnion<\/a> will each let a parent place a security freeze on a minor’s file. It’s free. Do this even if you take no other step. A freeze blocks new accounts from being opened in the child’s name and is the single most effective protection against the long-tail risk of pediatric SSN theft.<\/p>\n Enroll in the credit monitoring the clinic offered. It’s free for affected individuals. Use the activation code in your letter. The clinic’s response line is 1-833-289-5228 if you misplaced the code or have questions about your specific exposure.Pull a credit report on your child directly from each bureau. Children should not have a credit file at all. If a report comes back showing one exists, that’s a flag worth investigating. The Identity Theft Resource Center<\/a> has step-by-step instructions for minor credit checks.<\/p>\n Watch your insurance EOBs and tax filings. Medical identity theft shows up as treatment you didn’t receive billed to your plan. Tax-related identity theft shows up as a rejected return because someone filed first using the affected SSN. Both can trace back to a healthcare breach.<\/p>\n Save the notice letter. It’s your proof you were among the affected and it’s what triggers your standing if anything later requires legal action.<\/p>\n The Washington Attorney General’s 2025 data breach report flagged a pattern that put Mt. Spokane Pediatrics squarely inside the trend before its own breach happened. Breach notifications in the state exceeded Washington’s population for the second year running. Ransomware was the leading attack type. Three of the top five breaches involved healthcare entities.<\/p>\n Washington’s data breach notification law, RCW 19.255, requires entities holding personal information to notify affected residents and the attorney general when more than 500 Washingtonians are involved. Mt. Spokane Pediatrics appears to have followed the notice requirement on its face. Whether the underlying security practices met the legal standard of reasonableness is a separate question, and one that often gets sorted out only after litigation forces the question.<\/p>\n\n
Why pediatric breaches are worse than most<\/h2>\n
What to do this week<\/h2>\n
The Washington context<\/h2>\n
What kind of legal exposure these breaches create<\/h2>\n