Alabama Ophthalmology Associates Data Breach 2025: 131,576 Affected · BianLian Ransomware Claim · $850K Settlement Preliminarily Approved
Alabama Ophthalmology Associates (AOA), a Birmingham, AL ophthalmology practice, was breached by an unauthorized actor between January 22 and January 30, 2025. Notifications mailed April 7, 2025 disclosed exposure of names, Social Security numbers, driver's license numbers, dates of birth, medical record numbers, treatment and medical history information, and health insurance details for 131,576 individuals. The BianLian ransomware group claimed credit. A consolidated state class action settled for $850,000 with preliminary approval on February 19, 2026.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 22, 2025
Unauthorized access to AOA network begins
Jan 30, 2025
AOA detects unusual network activity and launches investigation
Feb 19, 2025
BianLian lists AOA on its dark-web leak site, claiming data theft
Mar 19, 2025
AOA completes review of affected files
Apr 7, 2025
AOA begins mailing notification letters to affected individuals
Apr 8, 2025
AOA files breach report with HHS OCR: 131,576 affected
Apr 15, 2025
First putative class action filed (David Lee and Paul Mason v. AOA, Circuit Court of Jefferson County, AL)
Aug 18, 2025
Court consolidates cases and appoints interim co-lead class counsel
Aug 19, 2025
Full-day virtual mediation with JAMS mediator Bruce Friedman, Esq.; no resolution reached
Sep 2, 2025
Parties reach settlement in principle
Dec 17, 2025
Settlement agreement signed
Feb 19, 2026
Circuit Court of Jefferson County grants preliminary approval to $850,000 class settlement
Jun 5, 2026
Opt-out and objection deadline (passed)
Jun 25, 2026
Final approval hearing scheduled at 2:00 p.m.
Jul 6, 2026
Claims deadline (online or postmarked)
Jan 22, 2025
Unauthorized access to AOA network begins
Jan 30, 2025
AOA detects unusual network activity and launches investigation
Feb 19, 2025
BianLian lists AOA on its dark-web leak site, claiming data theft
Mar 19, 2025
AOA completes review of affected files
Apr 7, 2025
AOA begins mailing notification letters to affected individuals
Apr 8, 2025
AOA files breach report with HHS OCR: 131,576 affected
Apr 15, 2025
First putative class action filed (David Lee and Paul Mason v. AOA, Circuit Court of Jefferson County, AL)
Aug 18, 2025
Court consolidates cases and appoints interim co-lead class counsel
Aug 19, 2025
Full-day virtual mediation with JAMS mediator Bruce Friedman, Esq.; no resolution reached
Sep 2, 2025
Parties reach settlement in principle
Dec 17, 2025
Settlement agreement signed
Feb 19, 2026
Circuit Court of Jefferson County grants preliminary approval to $850,000 class settlement
Jun 5, 2026
Opt-out and objection deadline (passed)
Jun 25, 2026
Final approval hearing scheduled at 2:00 p.m.
Jul 6, 2026
Claims deadline (online or postmarked)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Alabama Ophthalmology Associates (“AOA”), a multi-location ophthalmology practice with offices in Birmingham and Vestavia Hills, Alabama, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 8, 2025, reporting 131,576 affected individuals in a hacking incident at a network server and desktop computer. AOA’s substitute notice and subsequent reporting confirm an unauthorized actor accessed the network between January 22 and January 30, 2025. The practice ultimately notified 153,575 individuals across two rounds of direct-mail notice and a substitute notice — more than the HHS OCR count — as it notified all current and former patients from its practice management system out of an abundance of caution.
The BianLian ransomware group claimed responsibility on its dark-web leak site on February 19, 2025, and multiple sources confirm BianLian published the stolen data publicly. BianLian asserted it had taken finance and HR data, patient records, biometric information, and emails; AOA’s own notice did not verify the group’s specific characterizations of data volume or content.
Timeline
- 2025-01-22 — access: Forensic investigation determined unauthorized access to AOA’s network began on this date.
- 2025-01-30 — detected: AOA identified unusual activity in its network and launched an investigation.
- 2025-02-19 — other: The BianLian ransomware group listed AOA on its dark-web leak site and published stolen data.
- 2025-03-19 — other: AOA completed its review of the affected files and finalized the population of impacted individuals.
- 2025-04-07 — notified: AOA began mailing notification letters to affected individuals with available address information.
- 2025-04-08 — filed: AOA filed the breach with HHS OCR, reporting 131,576 affected individuals.
- 2025-04-15 — class-action: First putative class action filed (David Lee and Paul Mason v. Alabama Ophthalmology Associates, P.C., Circuit Court of Jefferson County, AL, No. 01-cv-2025-901488.00).
- 2025-08-18 — other: Court consolidates cases and appoints interim co-lead class counsel.
- 2025-08-19 — other: Full-day virtual mediation before JAMS mediator Bruce Friedman, Esq.; no resolution reached.
- 2025-09-02 — other: Parties reach settlement in principle.
- 2025-12-17 — other: Settlement agreement signed.
- 2026-02-19 — settled: The Circuit Court of Jefferson County granted preliminary approval to an $850,000 class-wide settlement in In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation.
- 2026-06-05 — other: Opt-out and objection deadline (passed).
- 2026-06-25 — other: Final approval hearing scheduled at 2:00 p.m. (Circuit Court of Jefferson County).
- 2026-07-06 — other: Claims deadline (online submission or postmark).
What was exposed
Per AOA’s substitute notice and notification letter, the categories of information that may have been compromised include:
- Names
- Addresses
- Dates of birth
- Driver’s license numbers
- Social Security numbers
- Medical record numbers
- Treatment information
- Medical history information
- Health insurance information
AOA noted in its notice that “not all data elements were affected for all individuals.”
What the entity is offering
AOA’s individual notification letters established a toll-free support call center (1-877-280-2754, Monday-Friday, 8 a.m. to 8 p.m. Central). The publicly available substitute notice from AOA does not describe a free credit-monitoring or identity-protection enrollment offer to all affected individuals outside of the settlement.
Under the preliminarily approved class-action settlement — administered by Simpluris, reachable at (833) 244-7341 or [email protected] — class members may claim:
- Two years of medical data monitoring and identity-theft protection services, and
- Either documented out-of-pocket losses up to $5,000 per class member (supported by receipts), or
- A pro rata cash payment estimated at approximately $60 per class member.
The opt-out and objection deadlines were June 5, 2026 (passed). The claims deadline is July 6, 2026 (online or postmarked). The final approval hearing is scheduled for June 25, 2026 at 2:00 p.m. before the Circuit Court of Jefferson County.
Class-action posture
The first putative class action, filed April 15, 2025 by David Lee and Paul Mason in the Circuit Court of Jefferson County, Alabama (No. 01-cv-2025-901488.00), was consolidated on August 18, 2025 with parallel cases into In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation. Named plaintiffs include David Lee, Paul Mason, June Mack, Willie Ellis, Benjamin Melton, Thomas Warren, and several others including representatives for two minors (W.M. and B.B.). An August 19, 2025 full-day virtual mediation before JAMS mediator Bruce Friedman, Esq. did not produce a resolution; the parties reached a settlement in principle on September 2, 2025 and signed the settlement agreement on December 17, 2025.
The $850,000 non-reversionary class settlement received preliminary approval on February 19, 2026. Approximately 153,575 individuals were notified. The final approval hearing is scheduled for June 25, 2026 at 2:00 p.m. before the same court; the claims deadline is July 6, 2026. Plaintiffs alleged AOA failed to implement reasonable cybersecurity measures to protect patient and employee information. AOA denies wrongdoing.
What to do
- Freeze your credit at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). With Social Security numbers and driver’s license numbers in scope, a freeze is the single highest-leverage protective step and is free.
- File IRS Form 14039 (Identity Theft Affidavit) if you are concerned someone may attempt to file a fraudulent tax return using your Social Security number.
- Submit your settlement claim before July 6, 2026. The claims deadline is July 6, 2026 (online at aoasettlement.com or by postmark). The official settlement administrator is Simpluris; call (833) 244-7341 or email [email protected] with questions. Out-of-pocket losses up to $5,000 require documentation (receipts); a smaller pro-rata cash payment requires no documentation.
- Watch for the AOA notification letter at the address on file with the practice; the letter identifies which specific data elements were exposed for you.
- Monitor for medical-identity-theft signals. Review explanation-of-benefits statements from your health insurer for services you did not receive, and read denial letters carefully. Someone using stolen insurance and treatment details can trigger incorrect diagnoses or drug history in your records, which can affect future care.
- Watch your ophthalmology records specifically. This breach is from an eye-care specialist; verify your vision and surgical records are accurate the next time you see a provider — fraudulent prior procedures or diagnoses can affect coverage and clinical decisions.
- Stop the ongoing flow of your eye-care and medical data. HealthConsent files HIPAA restriction requests so the treatment information and health insurance details exposed in this breach are not continuously re-shared with insurers, data brokers, and marketing networks that pull from practice management systems like the one AOA uses.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (131,576 affected; filed 2025-04-08; Hacking/IT Incident; Desktop Computer, Network Server).
- PR Newswire — AOA Provides Notice Following Data Security Incident — entity’s own substitute notice, including data elements, timeline, and support call center.
- HIPAA Journal — AOA Data Breach Settlement Gets First Nod — settlement amount, court, key dates, fairness hearing schedule.
- ClassAction.org — $850K AOA Settlement Ends Class Action Lawsuit — settlement benefits, class definition, 153,575 notified count, and claims deadline.
- Settlement Agreement PDF — In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation — case history, mediation, named plaintiffs, settlement terms.
- AOA Settlement — Official Settlement Website (Simpluris) — class member claims portal, confirmed dates (Final Approval Hearing June 25, 2026; claims deadline July 6, 2026).
- GovInfoSecurity — BianLian Claims Credit for Two Health Data Hacks — ransomware-group attribution.
- SecurityWeek — Two Healthcare Orgs Hit by Ransomware Confirm Data Breaches Impacting Over 100,000 — independent reporting; BianLian listing date confirmed as February 19, 2025.
- Ransomware.live — BianLian victim listing for Alabama Ophthalmology Associates — threat-intelligence record; discovered 2025-02-19 14:52 UTC.
- Comparitech — Alabama eye doctor notifies 131K people of data breach — independent reporting cross-referencing OCR filing and substitute notice.
- ClaimDepot — Alabama Ophthalmology Associates $850K Data Breach Settlement — settlement aggregator; claims detail and administrator contact.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- PR Newswire — Alabama Ophthalmology Associates Provides Notice Following Data Security Incident
- HIPAA Journal — Alabama Ophthalmology Associates Data Breach Settlement Gets First Nod
- ClassAction.org — $850K Alabama Ophthalmology Associates Settlement
- AOA Settlement — Official Settlement Website (Simpluris)
- GovInfoSecurity — BianLian Claims Credit for Two Health Data Hacks
- Comparitech — Alabama eye doctor notifies 131K people of data breach
- Ransomware.live — BianLian victim listing for Alabama Ophthalmology Associates
- SecurityWeek — Two Healthcare Orgs Hit by Ransomware Confirm Data Breaches Impacting Over 100,000
- ClassAction.org — Settlement Agreement PDF (In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation)
- ClaimDepot — Alabama Ophthalmology Associates $850K Data Breach Settlement
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.