Washington Cybersecurity Breach Report 2025: $368M in Losses

A factual analysis of cybercrime losses, healthcare breaches, technology-sector incidents, and the Washington regulatory environment.

Published by BlueRadius Cyber | May 2026 | All figures sourced and footnoted

Executive Summary

Washington reported approximately $368 million in losses from internet crime in 2024 according to the FBI Internet Crime Complaint Center (IC3) 2024 Annual Report, with 18,009 complaints filed by Washington residents that year.[1][2] Washington ranks roughly tenth nationally by reported losses and twelfth by complaint volume, reflecting the state's outsized concentration of technology, healthcare, aerospace, and managed services targets.[2] Separately, the Washington Attorney General's Office reported that Washingtonians received 11.6 million breach notices in the year ending July 23, 2024, the first time the volume of individual breach notices exceeded the state's resident population.[3]

This report compiles publicly verifiable Washington-specific and Washington-relevant data on cybersecurity incidents, regulatory enforcement, and threat patterns from 2024 and early 2025. Every statistic is sourced and footnoted. For Washington mid-market organizations the picture is consistent: a state whose largest employers (Microsoft, Amazon, T-Mobile, Boeing's commercial airplanes division, Providence, Fred Hutch, UW Medicine) have each been at the center of nationally significant security incidents in the last 24 months, a regulatory environment that added the strictest consumer health data privacy law in the United States (the My Health My Data Act), and a breach notification timeline (30 days) that is materially tighter than the federal default.

Key Findings

$368 million in reported Washington losses from internet crime in 2024, with the state ranking approximately tenth nationally by losses.[1][2]
18,009 Washington complaints filed with FBI IC3 in 2024, ranking the state roughly twelfth nationally by complaint volume.[1][2]
11.6 million breach notices sent to Washington residents in the reporting year ending July 23, 2024, the first time individual notifications exceeded the state population, per the Washington Attorney General's 2024 Annual Data Breach Report.[3][4]
279 breaches affected 500 or more Washington residents in the same reporting period, with cyberattacks accounting for 78% of all breaches (up from 68% the prior year) and ransomware comprising 52% of cyberattacks.[3][4]
2.1 million Fred Hutchinson Cancer Center and UW Medicine patients had protected health information exposed in the November 2023 Hunters International ransomware intrusion that exploited the Citrix Bleed vulnerability (CVE-2023-4966), with the attackers sending individual extortion demands to patients.[5][6][7]
$31.5 million FCC settlement with T-Mobile announced September 30, 2024 ($15.75 million civil penalty plus a separate $15.75 million cybersecurity investment commitment) resolving the 2021, 2022, and 2023 customer data incidents.[8][9]
$200 million ransom demand against Boeing by the LockBit ransomware group in October 2023, per the May 2024 DOJ indictment unsealed against LockBit administrator Dmitry Khoroshev. Boeing did not pay, and approximately 43 GB of data was published to the LockBit leak site in November 2023.[10][11]
Washington's My Health My Data Act (MHMDA) became effective March 31, 2024 for regulated entities, creating a private right of action and civil penalties up to $7,500 per violation for unconsented collection or sharing of consumer health data, well beyond the scope of HIPAA.[12][13]

Bottom line: Washington-headquartered or Washington-significant organizations were at the center of three of the most consequential U.S. cybersecurity incidents of the past 24 months (T-Mobile, Boeing, Microsoft), the state's healthcare sector absorbed one of the largest provider breaches in the country (Fred Hutchinson and UW Medicine), and the regulatory environment is now defined by a 30-day breach notification deadline and the strictest consumer health privacy law in the country. Mid-market organizations operating in or selling into Washington should treat the next 12 months as a forced upgrade cycle on breach response, identity and access management, and vendor risk.

The Headline Numbers: Washington in the FBI IC3 2024 Annual Report

The FBI Internet Crime Complaint Center (IC3) publishes annual data on reported internet crime by state. The 2024 report was released in April 2025.[2]

National Context

Nationally, IC3 received 859,532 complaints in 2024 with reported losses exceeding $16.6 billion, a 33% increase over 2023.[2] More than 147,000 complaints were filed by people aged 60 and older nationally, with reported losses to that demographic reaching approximately $4.8 billion, a 43% year-over-year increase.[2] Investment fraud (largely cryptocurrency related) was the largest single loss category at more than $6.5 billion in reported losses.[2]

Washington Breakdown

Washington's 2024 figures place the state in the top ten to twelve nationally on both volume and dollar metrics. The $368 million in reported Washington losses and 18,009 complaints filed by Washington residents reflect a state with concentrated exposure across technology, healthcare, aerospace, and managed services.[1][2] The top reported national cybercrime categories by complaint volume in 2024 were phishing and spoofing (roughly 193,000 complaints), extortion (roughly 86,000), and personal data breaches (roughly 65,000).[2] These same categories drive the bulk of Washington activity.

The State-Level View: WA AG 2024 Annual Data Breach Report

Unlike most states, Washington publishes its own annual breach report through the Attorney General's Office. The ninth annual report, covering the period from July 24, 2023 through July 23, 2024, documents an inflection point in the state's threat landscape.[3][4]

11.6 million individual breach notices were sent to Washingtonians during the reporting period, the first time the volume of notices exceeded the state's resident population.[3][4]
279 breaches affected 500 or more Washington residents in the period, the second-highest annual count since 2016.[3]
Cyberattacks accounted for 78% of all reported breaches, up from 68% in the prior year. Within cyberattacks, ransomware represented 52% of incidents, making it the single most common attack pattern reported to the Attorney General.[3][4]
The remaining categories (mistaken disclosure, lost or stolen device or paper records, unauthorized access by insiders) collectively account for 22% of breaches reported to the Attorney General during the period.[3]

The Attorney General's annual report functions as the most direct measure of the state-specific breach environment available in the United States. Most state attorneys general do not publish a comparable annual analysis, which is why national reports often understate the operational consequences of state-level notification thresholds.

Major Washington-Domiciled or Washington-Relevant Breaches (2023-2025)

Fred Hutchinson Cancer Center and UW Medicine (November 2023, disclosed December 2023)

Between November 19 and 25, 2023, the Hunters International ransomware group exploited Citrix Bleed (CVE-2023-4966) to gain access to Fred Hutchinson Cancer Center's systems. The intrusion exposed protected health information for approximately 2.1 million patients, including names, dates of birth, Social Security numbers, diagnoses, treatment information, and medical record numbers.[5][6] Because Fred Hutch operates an integrated clinical and research collaboration with UW Medicine, the affected population includes patients of both institutions.[5]

The intrusion was notable for the attackers' direct-to-patient extortion model: individual patients received personalized emails demanding $50 in cryptocurrency under threat of public exposure of their treatment records, with some recipients also threatened with SWATing if they refused.[5][6] Fred Hutchinson disclosed the incident on December 6, 2023 and subsequently committed approximately $25 million across remediation, settlement, and additional cybersecurity investment: roughly $11.5 million in patient settlement and a separate $13.5 million cybersecurity investment commitment.[7]

T-Mobile (Bellevue, WA): 2021 Breach, 2023 API Breach, $31.5M FCC Settlement

T-Mobile US, headquartered in Bellevue, Washington, has been the subject of three consequential disclosures relevant to this report period.

2021 breach: approximately 76.6 million customer records exposed, including names, addresses, dates of birth, Social Security numbers, and driver's license or ID information for roughly 40 million former and prospective customers, 5.3 million current postpaid customers, and 667,000 former customers, per T-Mobile's August 2021 SEC disclosures.[14]
2023 API breach: approximately 37 million accounts exposed via an unauthorized API call between November 25, 2022 and January 5, 2023. Accessed fields included name, billing address, email, phone number, date of birth, account number, and number of lines on the account. Social Security numbers, passwords, PINs, and payment data were not accessed in this incident.[15][16]
September 30, 2024 FCC settlement: $31.5 million total ($15.75 million civil penalty plus a separate $15.75 million cybersecurity investment commitment). The consent decree resolves the 2021, 2022, and 2023 incidents and requires T-Mobile to move toward a zero-trust architecture, implement multi-factor authentication, and undertake additional governance commitments.[8][9]

Boeing Commercial Airplanes (Renton, WA): October 2023 LockBit Ransomware

In late October 2023 the LockBit ransomware group listed Boeing on its data leak site. Boeing's commercial airplanes division is headquartered in Renton, Washington, with major manufacturing operations across Everett, Renton, and Auburn. The parent company's corporate headquarters relocated from Chicago to Arlington, Virginia in 2022, but the operational footprint affected by the incident is overwhelmingly Washington-based.

LockBit published approximately 43 GB of Boeing data in November 2023 after the company did not meet the ransom deadline. The exfiltrated material consisted primarily of backup files for IT management, monitoring, and auditing tools. Boeing stated that the incident affected its parts and distribution business and that there was no compromise to aircraft or flight safety.[10]

In May 2024 the U.S. Department of Justice unsealed an indictment against LockBit administrator Dmitry Khoroshev that included a reference to a $200 million ransom demand against an unnamed multinational aeronautical and defense corporation. Boeing subsequently confirmed it was the company referenced and that it had refused to pay.[11]

Microsoft (Redmond, WA): Storm-0558 and Midnight Blizzard

Microsoft was the subject of two distinct nation-state intrusions in 2023 and 2024 that were the focus of unusual federal attention.

Storm-0558 (May to June 2023): A China-based threat actor forged authentication tokens using a stolen Microsoft Services Account signing key to access enterprise Exchange Online mailboxes. The Cyber Safety Review Board's final report concluded that 22 enterprise organizations and approximately 503 related consumer accounts were affected, including the U.S. Department of State, the U.S. Department of Commerce, and U.S. House of Representatives accounts.[17][18] An estimated 60,000 State Department emails were exfiltrated across 10 accounts, focused on Indo-Pacific and East Asia diplomatic correspondence.[19] The Cyber Safety Review Board's final report, released publicly in April 2024, concluded the intrusion was "preventable" and characterized Microsoft's security culture during the relevant period as inadequate and in need of overhaul.[18]

Midnight Blizzard (detected January 12, 2024): A Russian SVR-linked actor (also tracked as Nobelium or APT29) executed a password spray against a legacy non-production test tenant beginning in late November 2023, then used the foothold to access email accounts of members of Microsoft's senior leadership team and personnel in cybersecurity, legal, and other functions.[20][21] In an amended SEC filing on March 8, 2024, Microsoft disclosed that the actor had used information from the exfiltrated emails to access source code repositories and internal systems, and that password spray volume increased "as much as 10-fold" in February 2024 versus January 2024.[22]

Navia Benefit Solutions (Renton, WA): Disclosed Early 2026

Navia Benefit Solutions, a Renton, Washington headquartered benefits administrator, disclosed an unauthorized access incident affecting approximately 2.7 million individuals, including beneficiaries of the Washington State Health Care Authority and multiple national employer plans. The unauthorized access window ran from December 22, 2025 through January 15, 2026, with exposed data including names, email addresses, phone numbers, and Social Security numbers for a subset of affected individuals.[23] The Navia disclosure illustrates that the trend lines documented through 2024 in the Washington Attorney General's annual report continued without interruption into 2026.

The Washington Regulatory Environment

My Health My Data Act (MHMDA)

Washington's My Health My Data Act, signed into law April 27, 2023 and codified at RCW 19.373, is the most restrictive consumer health data privacy law in the United States. The geofencing prohibition in Section 10 took effect July 23, 2023. The Act became effective March 31, 2024 for regulated entities (entities other than small businesses) and June 30, 2024 for small businesses.[12][13]

MHMDA is materially broader than HIPAA in two critical ways. First, it covers consumer health data wherever collected, not just data in the hands of HIPAA covered entities. Second, it provides a private right of action, which is rare among U.S. health privacy laws. Any violation of MHMDA is a per se violation of the Washington Consumer Protection Act (RCW 19.86), giving the Attorney General authority to seek injunctions, restitution, and civil penalties of up to $7,500 per violation, plus attorney's fees.[12]

The first MHMDA class action was filed February 10, 2025 in the U.S. District Court for the Western District of Washington against Amazon. The complaint alleges Amazon's advertising SDK, embedded in third-party mobile applications, collected location data that revealed health information about users without the consent required by MHMDA.[24][25] The case is unresolved as of this report, but its filing confirms that the private right of action is actively in use.

RCW 19.255: Washington Breach Notification

Washington's data breach notification law (RCW 19.255.010) was tightened by HB 1071, effective March 1, 2020. The current law requires entities suffering a breach of personal information to notify affected Washington residents within 30 days of discovery (reduced from 45 days) and to notify the Attorney General within 30 days if 500 or more Washington residents are affected by a single incident.[26][27] The Attorney General publishes the resulting notices on its website, which feeds the annual breach report cited above.

Washington's 30-day window is materially tighter than the federal HIPAA Breach Notification Rule's 60-day deadline and notably tighter than the 30-day deadlines being adopted in other jurisdictions through 2026.

What This Means for Washington Mid-Market Organizations

Three implications follow directly from the data above.

1. Identity and access management is the dominant attack surface. The Storm-0558 token forgery, the T-Mobile API abuse, the Hunters International CitrixBleed exploitation, and the Midnight Blizzard password spray all turned on identity infrastructure that did not enforce assumed-breach defaults. Mid-market organizations operating in Washington should treat managed identity controls, including conditional access, privileged access workstations, phishing-resistant multi-factor authentication, and continuous session validation, as table stakes rather than aspirational.

2. Healthcare and consumer health data carry compounding regulatory exposure. Washington-headquartered healthcare providers and any organization processing the consumer health data of Washington residents now operate under MHMDA in addition to HIPAA. The combined exposure is materially larger than either law alone. Mid-market healthcare organizations and their business associates should pull healthcare cybersecurity controls forward on the roadmap and document MHMDA compliance separately from HIPAA compliance.

3. The 30-day notification window changes breach response economics. Tabletop exercises designed around a 60-day federal deadline do not match the Washington reality. Mid-market organizations should rehearse breach response under a 30-day clock with documented decision points for legal counsel engagement, forensic vendor activation, AG notification, and individual notification mailing. Organizations operating in the Seattle metro should also assume that local press coverage of any 500-plus resident breach is more likely than in markets without an annual state breach report.

Frequently Asked Questions

What were Washington's IC3 losses and complaints in 2024?

Washington residents reported approximately $368 million in losses and 18,009 complaints to the FBI Internet Crime Complaint Center (IC3) in 2024, ranking the state roughly tenth nationally by losses and twelfth by complaint volume.[1][2]

How many breach notices were sent to Washington residents in 2024?

According to the Washington Attorney General's 2024 Annual Data Breach Report, 11.6 million individual breach notices were sent to Washingtonians during the reporting period ending July 23, 2024. It was the first time the volume of breach notices in a single year exceeded the state's resident population.[3][4]

What is Washington's data breach notification deadline?

Under RCW 19.255.010, entities that suffer a breach of personal information must notify affected Washington residents within 30 days of discovery and must notify the Attorney General within 30 days if 500 or more Washington residents are affected.[26][27]

What is the My Health My Data Act and when did it take effect?

The My Health My Data Act (MHMDA), codified at RCW 19.373, is Washington's consumer health data privacy law. It became effective March 31, 2024 for regulated entities (other than small businesses) and June 30, 2024 for small businesses. The geofencing prohibition took effect July 23, 2023. MHMDA provides a private right of action and authorizes civil penalties of up to $7,500 per violation through the Consumer Protection Act.[12][13]

How many people were affected by the Fred Hutchinson Cancer Center breach?

Approximately 2.1 million patients of Fred Hutchinson Cancer Center and UW Medicine had protected health information exposed in the November 2023 Hunters International ransomware intrusion, which exploited the Citrix Bleed vulnerability (CVE-2023-4966). The attackers sent individual extortion demands to patients seeking $50 in cryptocurrency, in some cases combined with SWATing threats.[5][6][7]

How much did T-Mobile pay in the FCC settlement?

The FCC's September 30, 2024 settlement totaled $31.5 million: a $15.75 million civil penalty and a separate $15.75 million cybersecurity investment commitment. The consent decree resolves the 2021, 2022, and 2023 customer data incidents and requires T-Mobile to move toward a zero-trust architecture.[8][9]

Engage a vCISO to Operationalize These Findings

The breach patterns documented above (vendor compromise, identity-infrastructure exploitation, ransomware double-extortion) are not solved by adding more security tools. They are addressed by a security program with clear leadership accountability for vendor risk, identity controls, and tested incident response. For mid-market organizations that do not have a full-time CISO, a fractional or virtual CISO arrangement provides this leadership at a fraction of the cost of a senior hire. BlueRadius's virtual CISO services embed a senior security leader into the organization to translate threat data of the kind in this report into board-defensible programs, with explicit accountability for vendor risk reviews, identity hardening, and rehearsed breach response under the relevant 30-day notification clock.

BlueRadius Research Library

Sourced research reports across the BlueRadius cybersecurity catalog. Every report below is footnoted to primary or established secondary sources, and each tracks a different slice of the threat and regulatory landscape facing mid-market organizations.

Sources

[1] KING 5 News, "FBI Seattle launches 'Operation Winter Shield' to combat cybercrime," citing FBI IC3 2024 Washington state figures. king5.com.

[2] Federal Bureau of Investigation, Internet Crime Complaint Center, "2024 Internet Crime Report," released April 23, 2025. ic3.gov.

[3] Washington State Office of the Attorney General, "Data Breach Report 2024" (ninth annual report). agportal-s3bucket.s3.us-west-2.amazonaws.com (PDF).

[4] Washington State Office of the Attorney General, "AG Report: Data breaches reach new all-time high in Washington," press release. atg.wa.gov.

[5] Fred Hutchinson Cancer Center, "Fred Hutchinson Cancer Center notifies patients of data security incident," December 6, 2023 press release. fredhutch.org.

[6] HIPAA Journal, "Fred Hutchinson Cancer Center Data Breach Settlement." hipaajournal.com.

[7] The Register, "Fred Hutch commits $52.5M for breach settlement and security upgrades," May 30, 2025. theregister.com.

[8] Federal Communications Commission, Consent Decree with T-Mobile US, Inc., DA 24-988, September 30, 2024. docs.fcc.gov (PDF).

[9] Cybersecurity Dive, "T-Mobile reaches $31.5M settlement with FCC over years of data breaches," October 1, 2024. cybersecuritydive.com.

[10] BleepingComputer, "LockBit ransomware leaks gigabytes of Boeing data," November 10, 2023. bleepingcomputer.com.

[11] CyberScoop, "Boeing confirms attempted $200 million ransomware extortion attempt," reporting on the unsealed DOJ indictment of LockBit administrator Dmitry Khoroshev. cyberscoop.com.

[12] Washington State Office of the Attorney General, "Protecting Washingtonians' personal health data and privacy." atg.wa.gov.

[13] Goodwin Procter, "Washington's My Health My Data Act Takes Effect," March 2024 alert detailing the March 31, 2024 effective date. goodwinlaw.com.

[14] T-Mobile US, Inc., Form 8-K and Exhibit 99.1, filed August 2021 disclosing customer data incident scope. sec.gov.

[15] T-Mobile US, Inc., Form 8-K filed January 19, 2023 disclosing the API-based unauthorized data access. sec.gov.

[16] Brian Krebs, KrebsOnSecurity, "New T-Mobile Breach Affects 37 Million Accounts," January 19, 2023. krebsonsecurity.com.

[17] Microsoft Threat Intelligence, "Analysis of Storm-0558 techniques for unauthorized email access," July 14, 2023. microsoft.com.

[18] Cyber Safety Review Board, "Review of the Summer 2023 Microsoft Exchange Online Intrusion," final report. cisa.gov (PDF).

[19] Infosecurity Magazine, "Microsoft Breach Exposed 60,000 US State Department Emails." infosecurity-magazine.com.

[20] Microsoft Security Response Center, "Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard," January 19, 2024. microsoft.com.

[21] Microsoft Corporation, Form 8-K, filed January 19, 2024. sec.gov.

[22] Microsoft Corporation, Form 8-K/A, filed March 8, 2024 disclosing source code repository access. sec.gov.

[23] HIPAA Journal, "Navia Benefit Solutions Data Breach Affects 2.7 Million Individuals." hipaajournal.com.

[24] WilmerHale, "First Lawsuit Filed Under Washington's My Health My Data Act," February 20, 2025. wilmerhale.com.

[25] HIPAA Journal, "Amazon SDK Privacy Lawsuit Filed Under Washington My Health My Data Act." hipaajournal.com.

[26] Washington State Office of the Attorney General, "Washington's data breach notification laws." atg.wa.gov.

[27] Revised Code of Washington, RCW 19.255.010, "Personal information, notice of security breaches." app.leg.wa.gov.

Washington State Cybersecurity Breach Report 2025: $368M Losses, 11.6M Notices