Active breach tracker Birmingham, Alabama Disclosed April 8, 2025

Alabama Ophthalmology Associates Data Breach 2025: 131,576 Affected · BianLian Ransomware Claim · $850K Settlement Preliminarily Approved

Alabama Ophthalmology Associates (AOA), a Birmingham, AL ophthalmology practice, was breached by an unauthorized actor between January 22 and January 30, 2025. Notifications mailed April 7, 2025 disclosed exposure of names, Social Security numbers, driver's license numbers, dates of birth, medical record numbers, treatment and medical history information, and health insurance details for 131,576 individuals. The BianLian ransomware group claimed credit. A consolidated state class action settled for $850,000 with preliminary approval on February 19, 2026.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 22, 2025

Unauthorized access to AOA network begins

Jan 30, 2025

AOA detects unusual network activity and launches investigation

Feb 19, 2025

BianLian lists AOA on its dark-web leak site, claiming data theft

Mar 19, 2025

AOA completes review of affected files

Apr 7, 2025

AOA begins mailing notification letters to affected individuals

Apr 8, 2025

AOA files breach report with HHS OCR: 131,576 affected

Apr 15, 2025

First putative class action filed (David Lee and Paul Mason v. AOA, Circuit Court of Jefferson County, AL)

Aug 18, 2025

Court consolidates cases and appoints interim co-lead class counsel

Aug 19, 2025

Full-day virtual mediation with JAMS mediator Bruce Friedman, Esq.; no resolution reached

Sep 2, 2025

Parties reach settlement in principle

Dec 17, 2025

Settlement agreement signed

Feb 19, 2026

Circuit Court of Jefferson County grants preliminary approval to $850,000 class settlement

Jun 5, 2026

Opt-out and objection deadline (passed)

Jun 25, 2026

Final approval hearing scheduled at 2:00 p.m.

Jul 6, 2026

Claims deadline (online or postmarked)

Data exposed

01

High-risk identity

Enables financial + identity theft

Driver's license numbers Social Security numbers

02

Health records

Don't expire and can't be reissued

Medical record numbers Treatment information

03

Contact & insurance

Phishing + targeted scams

Names Addresses Dates of birth Medical history information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

David Lee and Paul Mason (lead plaintiffs, consolidated state court action)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Alabama Ophthalmology Associates (“AOA”), a multi-location ophthalmology practice with offices in Birmingham and Vestavia Hills, Alabama, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 8, 2025, reporting 131,576 affected individuals in a hacking incident at a network server and desktop computer. AOA’s substitute notice and subsequent reporting confirm an unauthorized actor accessed the network between January 22 and January 30, 2025. The practice ultimately notified 153,575 individuals across two rounds of direct-mail notice and a substitute notice — more than the HHS OCR count — as it notified all current and former patients from its practice management system out of an abundance of caution.

The BianLian ransomware group claimed responsibility on its dark-web leak site on February 19, 2025, and multiple sources confirm BianLian published the stolen data publicly. BianLian asserted it had taken finance and HR data, patient records, biometric information, and emails; AOA’s own notice did not verify the group’s specific characterizations of data volume or content.

Timeline

  • 2025-01-22 — access: Forensic investigation determined unauthorized access to AOA’s network began on this date.
  • 2025-01-30 — detected: AOA identified unusual activity in its network and launched an investigation.
  • 2025-02-19 — other: The BianLian ransomware group listed AOA on its dark-web leak site and published stolen data.
  • 2025-03-19 — other: AOA completed its review of the affected files and finalized the population of impacted individuals.
  • 2025-04-07 — notified: AOA began mailing notification letters to affected individuals with available address information.
  • 2025-04-08 — filed: AOA filed the breach with HHS OCR, reporting 131,576 affected individuals.
  • 2025-04-15 — class-action: First putative class action filed (David Lee and Paul Mason v. Alabama Ophthalmology Associates, P.C., Circuit Court of Jefferson County, AL, No. 01-cv-2025-901488.00).
  • 2025-08-18 — other: Court consolidates cases and appoints interim co-lead class counsel.
  • 2025-08-19 — other: Full-day virtual mediation before JAMS mediator Bruce Friedman, Esq.; no resolution reached.
  • 2025-09-02 — other: Parties reach settlement in principle.
  • 2025-12-17 — other: Settlement agreement signed.
  • 2026-02-19 — settled: The Circuit Court of Jefferson County granted preliminary approval to an $850,000 class-wide settlement in In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation.
  • 2026-06-05 — other: Opt-out and objection deadline (passed).
  • 2026-06-25 — other: Final approval hearing scheduled at 2:00 p.m. (Circuit Court of Jefferson County).
  • 2026-07-06 — other: Claims deadline (online submission or postmark).

What was exposed

Per AOA’s substitute notice and notification letter, the categories of information that may have been compromised include:

  • Names
  • Addresses
  • Dates of birth
  • Driver’s license numbers
  • Social Security numbers
  • Medical record numbers
  • Treatment information
  • Medical history information
  • Health insurance information

AOA noted in its notice that “not all data elements were affected for all individuals.”

What the entity is offering

AOA’s individual notification letters established a toll-free support call center (1-877-280-2754, Monday-Friday, 8 a.m. to 8 p.m. Central). The publicly available substitute notice from AOA does not describe a free credit-monitoring or identity-protection enrollment offer to all affected individuals outside of the settlement.

Under the preliminarily approved class-action settlement — administered by Simpluris, reachable at (833) 244-7341 or [email protected] — class members may claim:

  • Two years of medical data monitoring and identity-theft protection services, and
  • Either documented out-of-pocket losses up to $5,000 per class member (supported by receipts), or
  • A pro rata cash payment estimated at approximately $60 per class member.

The opt-out and objection deadlines were June 5, 2026 (passed). The claims deadline is July 6, 2026 (online or postmarked). The final approval hearing is scheduled for June 25, 2026 at 2:00 p.m. before the Circuit Court of Jefferson County.

Class-action posture

The first putative class action, filed April 15, 2025 by David Lee and Paul Mason in the Circuit Court of Jefferson County, Alabama (No. 01-cv-2025-901488.00), was consolidated on August 18, 2025 with parallel cases into In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation. Named plaintiffs include David Lee, Paul Mason, June Mack, Willie Ellis, Benjamin Melton, Thomas Warren, and several others including representatives for two minors (W.M. and B.B.). An August 19, 2025 full-day virtual mediation before JAMS mediator Bruce Friedman, Esq. did not produce a resolution; the parties reached a settlement in principle on September 2, 2025 and signed the settlement agreement on December 17, 2025.

The $850,000 non-reversionary class settlement received preliminary approval on February 19, 2026. Approximately 153,575 individuals were notified. The final approval hearing is scheduled for June 25, 2026 at 2:00 p.m. before the same court; the claims deadline is July 6, 2026. Plaintiffs alleged AOA failed to implement reasonable cybersecurity measures to protect patient and employee information. AOA denies wrongdoing.

What to do

  1. Freeze your credit at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). With Social Security numbers and driver’s license numbers in scope, a freeze is the single highest-leverage protective step and is free.
  2. File IRS Form 14039 (Identity Theft Affidavit) if you are concerned someone may attempt to file a fraudulent tax return using your Social Security number.
  3. Submit your settlement claim before July 6, 2026. The claims deadline is July 6, 2026 (online at aoasettlement.com or by postmark). The official settlement administrator is Simpluris; call (833) 244-7341 or email [email protected] with questions. Out-of-pocket losses up to $5,000 require documentation (receipts); a smaller pro-rata cash payment requires no documentation.
  4. Watch for the AOA notification letter at the address on file with the practice; the letter identifies which specific data elements were exposed for you.
  5. Monitor for medical-identity-theft signals. Review explanation-of-benefits statements from your health insurer for services you did not receive, and read denial letters carefully. Someone using stolen insurance and treatment details can trigger incorrect diagnoses or drug history in your records, which can affect future care.
  6. Watch your ophthalmology records specifically. This breach is from an eye-care specialist; verify your vision and surgical records are accurate the next time you see a provider — fraudulent prior procedures or diagnoses can affect coverage and clinical decisions.
  7. Stop the ongoing flow of your eye-care and medical data. HealthConsent files HIPAA restriction requests so the treatment information and health insurance details exposed in this breach are not continuously re-shared with insurers, data brokers, and marketing networks that pull from practice management systems like the one AOA uses.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.