4 News Now investigation: Data breach that impacted WA’s unemployed also hit cities, schools and hospitals

A computer hack of the Washington state Auditor’s Office resulted in the theft of names, social security numbers and bank information from more than a million Washingtonians who filed for unemployment. But, that sensitive information was not the only thing stolen. 

On December 25, file transfer company Accellion was hacked. The impact was not immediately known until the state auditor’s office found out on January 12, and it took nearly a month to realize those one million people who filed for unemployment had their personal information stolen. 

The state auditor’s office was in the middle of transferring files for an investigation into the Employment Security Department when Accellion was hacked. ESD had a breach in 2020, and gave away more than $640 million in fake unemployment claims. Crooks used stolen personal information to do this.

It then took another week for the auditor’s office to notify people, but it was not until 4 News Now’s Kaitlin Knapp filed a public records request that we discovered much more personal information was at risk. 

READ: Data breach potentially exposes information of more than one million Washingtonians 

At the time, the auditor’s office disclosed that the breach hit state and local government agencies, but did not say which ones. That records request showed nearly 200 agencies had some form of information stolen, including the City of Spokane.

“That was the initial concern, is how widespread was this? Is this just going to be employees? And just employees, does that mean all 2,000 City employees or just a small subset? Does this go beyond to the community?” said City Spokesman Brian Coddington. 

Eleven City of Spokane employees had their personal information stolen. Other places hit include school districts, like Central Valley. The district told 4 News Now that it the auditor’s office was running a financial audit on them, and all the information compromised was public. Fire Districts in Grant and Okanogan Counties were also hit. According to Grant County Fire District 8, photographs of small asset inventory items and audit closing documents were apart of the breach. Several public hospitals like Samaritan in Moses Lake, were also victims. 

“The only information that was on there was any information that was already public,” said Alex Town, Chief Administrative Officer of Samaritan Healthcare. “For example, our name, address, date of the service that occurred and the amount of the bill. That was pretty much what was compromised with those files.” 

Town said the 20 invoices compromised didn’t raise concern and calls the impact very minimal.

Many agencies were willing to share how they were affected, yet the state auditor’s office was adamant that they did not want 4 News Now to bring this information to light. 

The auditor’s office said these agencies are still at risk for extortion and ransomware, potentially putting the public’s information in danger. 

“In this case, we feel comfortable and good about what we’ve done and we’re going to continue to be vigilant about it,” Coddington said. “We consistently monitor security and we actually have a data security person, that’s their job is to make sure that we are on top of all of our protocols.”

“You don’t know what kind of system they have on the other side. And as organizations we do the best to protect our patients, our information before it is sent out,” Town said. “When we received the notification and we looked in the files, I was like, “Oh shoo. It could’ve been a lot worse.”

While these agencies are staying proactive to protect their information and yours, it is still a good idea to remain vigilant when giving out some of your most sensitive information. 

“Especially in a day and age where we’re relying more and more on technology, it’s concerning and it’s why we as a city operation are on it on a daily basis and have people specifically assigned to make sure that this kind of thing doesn’t happen to us,” Coddington said. 

RELATED: BBB says small steps help protect your information from being stolen

READ: Data breach compromised info of 1.6M who sought unemployment

RELATED: Audit: Unemployment fraud likely higher than $647 million