The Washington State Attorney General publishes data breach notifications for incidents affecting Washington residents. We track the same monthly format as our Texas OAG breach reports.
Washington AG data shows 50 breach notifications published so far in 2026, affecting 505,577 Washingtonians, current through Jun 19, 2026.
2026 Breach Dashboard
Interactive Dashboard
Washington AG Breach Notifications: 2026 YTD
Washingtonians affected by published breach notices through Jun 19, 2026
Show largest 2026 breach reports
| Entity | Published | Washingtonians affected | Sector |
|---|---|---|---|
| Heritage Bank | Apr 23, 2026 | 168,505 | Financial |
| Carnival Corporation | May 27, 2026 | 54,960 | Other |
| Caesars Entertainment, Inc. | May 19, 2026 | 44,023 | PII / Identity |
| Mt. Spokane Pediatrics | Apr 30, 2026 | 29,410 | Healthcare / Medical |
| Xsolis, Inc. | Jun 19, 2026 | 24,711 | Healthcare / Medical |
Source: Washington State Attorney General - Data Breach Notifications. Data current through Jun 19, 2026.
Sources
State AG breach portals
What Washington Publishes
Washington notifications include the reporting organization, notice dates, and Washingtonians affected. That makes Washington a good fit for the same affected-count view we publish for Texas, unlike California’s list-only portal.
Largest 2026 Breach Notifications So Far
The largest published Washington AG breach notifications in 2026 by Washingtonians affected are:
- Navia Benefit Solutions, Inc. (City of Bellevue) — 319,208 Washingtonians (Government / Benefits)
- Heritage Bank — 168,505 Washingtonians (Financial)
- Carnival Corporation — 54,960 Washingtonians (Hospitality / Travel)
- Caesars Entertainment, Inc. — 44,023 Washingtonians (Hospitality / Entertainment)
- Mt. Spokane Pediatrics — 29,410 Washingtonians (Healthcare)
| Organization | Date Published | Washingtonians Affected | Sector |
|---|---|---|---|
| Navia Benefit Solutions, Inc. (City of Bellevue) | Mar 18, 2026 | 319,208 | Government / Benefits |
| Heritage Bank | Apr 23, 2026 | 168,505 | Financial |
| Carnival Corporation | May 27, 2026 | 54,960 | Hospitality / Travel |
| Caesars Entertainment, Inc. | May 19, 2026 | 44,023 | Hospitality / Entertainment |
| Mt. Spokane Pediatrics | Apr 30, 2026 | 29,410 | Healthcare |
| OpenLoop Health Inc. | Mar 27, 2026 | 19,980 | Healthcare |
| WellPoint (Independent Clinics of Washington, Elevance Health) | Jun 2, 2026 | 12,017 | Healthcare |
| Bayside Dental | Apr 17, 2026 | 9,683 | Healthcare |
| Strategic Education Inc. | Jun 1, 2026 | 14,112 | Education |
| Plaza Home Mortgage Inc. | Jun 5, 2026 | 9,598 | Financial / Mortgage |
The Washington dataset does not consistently identify attack methods, so these are the largest published notifications by affected Washingtonians — not necessarily the largest confirmed hacks by technique. Several national brands (Carnival, Caesars, WellPoint) also appear on Texas and California AG portals.
Why This Matters
Washington businesses that hold personal data must notify the Attorney General when breaches affect state residents. Weak email authentication, reused passwords, and missing MFA still show up repeatedly in the paths that lead to public breach notices.
If you operate in multiple states, a Washington notification may still matter to Texas-based vendors, clients, or remote employees whose data was exposed.
Practical Steps
- Review the Washington AG notification list for organizations you do business with.
- Compare your posture against our Texas OAG tracker if you also serve Texas residents.
- Enforce DMARC, DKIM, and SPF on your domain.
- Require MFA on email and financial systems.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com.