A ransomware attack on an outside contractor for Washington's Department of Labor and Industries may have exposed contact information and other personal data for more than 16,000 workers' compensation claimants.
In a notice posted Thursday morning, L&I said it was "recently notified" of the attack on Pacific Market Research, which the agency had contracted to conduct a customer service survey.
According to the statement, "data on some of PMR's servers was encrypted by an unauthorized party." A document on the vendor's system "listed contact information, claim numbers and dates of birth for 16,466 workers who had workers' compensation claims in 2019," L&I said.
No medical information, Social Security numbers, bank or credit card information or other personal information was included on the document, L&I said, and none of the agency's own systems were affected in the attack. The agency sent notifications to affected claimants on June 29.
An agency spokesperson said the attack occurred May 22 and that Pacific Market Research notified L&I about the attack on June 4, and provided additional information June 9. "It took the company some time to assess the scope of the incident and determine which documents were potentially at risk," said L&I spokesperson Rich Roesler in an email Thursday.
Regarding the several weeks between learning of the attack and alerting claimants, Roesler said the agency "worked as quickly as we could to get the notifications out set up the call center and send out the news release."
The PMR document also contained L&I account numbers for 9,400 employers, although those numbers are already publicly available.
L&I said Pacific Market Research had conducted an "independent forensic investigation" and concluded that the document in question was not "accessed or taken in the May 22 incident, but cannot be 100 percent certain."
"Out of an abundance of caution," L&I and PMR are notifying the workers of the possible exposure and offering them 12 months of free credit monitoring, L&I said. Those notices, which were mailed, were expected to start arriving today.
L&I is also notifying the employers whose L&I account numbers were in the document.
