Asheville Eye Associates Data Breach 2025: 204,984 Affected After DragonForce Ransomware Attack on Western NC Ophthalmology Group
Asheville Eye Associates, PLLC disclosed a November 2024 network intrusion that exposed protected health information for 204,984 patients across its 10 Western North Carolina eye care centers. The DragonForce ransomware group claimed responsibility, posted roughly 540 GB to its leak site, and a consolidated class action settled in 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 18, 2024
Unauthorized party gains access to Asheville Eye Associates network
Nov 20, 2024
Suspicious activity identified; incident response engaged
Dec 29, 2024
DragonForce posts Asheville Eye Associates to its Tor-based leak site; data made publicly available (per ransomware.live)
Jan 17, 2025
Initial HIPAA breach report filed with HHS OCR (193,306 individuals)
Jan 17, 2025
Disclosed publicly
Jan 31, 2025
Substitute breach notice posted to ashevilleeye.com
Apr 14, 2025
Investigation concludes that PHI was accessed and acquired
May 22, 2025
Woodsmall v. Asheville Eye Associates filed; consolidated with related cases in NC Business Court
Jun 13, 2025
Individual notification letters mailed to affected patients
Jul 1, 2025
OCR portal count updated to 204,984 individuals
Nov 5, 2025
Preliminary approval of class-action settlement
Apr 6, 2026
Claim submission, objection, and exclusion deadline
May 14, 2026
Final fairness hearing scheduled
Nov 18, 2024
Unauthorized party gains access to Asheville Eye Associates network
Nov 20, 2024
Suspicious activity identified; incident response engaged
Dec 29, 2024
DragonForce posts Asheville Eye Associates to its Tor-based leak site; data made publicly available (per ransomware.live)
Jan 17, 2025
Initial HIPAA breach report filed with HHS OCR (193,306 individuals)
Jan 17, 2025
Disclosed publicly
Jan 31, 2025
Substitute breach notice posted to ashevilleeye.com
Apr 14, 2025
Investigation concludes that PHI was accessed and acquired
May 22, 2025
Woodsmall v. Asheville Eye Associates filed; consolidated with related cases in NC Business Court
Jun 13, 2025
Individual notification letters mailed to affected patients
Jul 1, 2025
OCR portal count updated to 204,984 individuals
Nov 5, 2025
Preliminary approval of class-action settlement
Apr 6, 2026
Claim submission, objection, and exclusion deadline
May 14, 2026
Final fairness hearing scheduled
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Asheville Eye Associates, PLLC, a 10-clinic ophthalmology and vision care group serving Western North Carolina from its Asheville headquarters, disclosed a November 2024 network intrusion that the DragonForce ransomware group has claimed responsibility for. The practice filed its initial HIPAA breach report with HHS OCR on January 17, 2025 at 193,306 individuals, then updated the OCR portal to 204,984 affected individuals as the forensic review concluded. A consolidated class action filed in the North Carolina Business Court received preliminary settlement approval on November 5, 2025; the final fairness hearing was scheduled for May 14, 2026.
Timeline
- November 18, 2024 — An unauthorized party gains access to the Asheville Eye Associates computer network. Per the DragonForce leak-site post, the attackers used a double-extortion tactic: exfiltrating roughly 540 GB before encrypting systems.
- November 20, 2024 — Suspicious activity is identified on the network and incident response is engaged.
- December 29, 2024 — DragonForce adds Asheville Eye Associates to its Tor-based leak site (confirmed by ransomware.live). The group subsequently made the full data set publicly available, indicating the ransom demand went unpaid.
- January 17, 2025 — Asheville Eye files an initial HIPAA breach report with HHS OCR listing 193,306 individuals and Network Server as the breach location.
- January 31, 2025 — A substitute breach notice is posted on ashevilleeye.com. Reporting from BankInfoSecurity and HIPAA Journal notes the notice does not include the incident or discovery date.
- April 14, 2025 — The forensic investigation concludes that protected health information was accessed and acquired during the intrusion.
- May 2025 — Robert Woodsmall files Woodsmall v. Asheville Eye Associates, PLLC in the North Carolina Business Court. The court consolidates this and four related cases brought by former patients into In re Asheville Eye Associates Data Incident Litigation, Case No. 2025CV000809-100.
- June 13, 2025 — Asheville Eye mails individual notification letters to affected patients.
- July 2025 — The OCR portal entry is updated to 204,984 individuals, the final confirmed count.
- November 5, 2025 — The North Carolina Business Court grants preliminary approval of the class-action settlement.
- April 6, 2026 — Deadline for class members to submit a claim, object, or opt out.
- May 14, 2026 — Final fairness hearing scheduled.
What was exposed
Asheville Eye Associates’ own notification letter limits the confirmed exposure to four categories: name, address, health insurance information, and medical treatment information. The practice states that “patient Social Security numbers, credit card numbers, and financial information were not exposed as a result of this incident.”
DragonForce’s leak-site post tells a broader story. SuspectFile and ClassAction.org reporting describes a sample that includes patient emails, dates of birth, Social Security numbers, patient account numbers, and diagnosis information. ComplianceJunction’s March 2026 coverage of the settlement additionally reports that the leaked data included employee and physician records containing addresses, phone numbers, spouse names, Social Security numbers, driver’s license details, passport data, professional licensing information, HR documentation, and payment information. SecurityWeek confirmed that DragonForce made the data publicly available on its leak site. The practice has not publicly reconciled the gap between its own narrow notice disclosure and the broader leak-site scope. ComplianceJunction estimated that the breach affected roughly 328,000 individuals total when counting employees alongside HIPAA-covered patients; the OCR-confirmed figure of 204,984 reflects covered individuals under HIPAA. Until the scope is fully adjudicated, patients and former employees alike should plan defenses for the broader leak-site categories.
What Asheville Eye is offering
Under the preliminarily approved settlement, class members are eligible for:
- Up to $1,250 in reimbursement for documented, unreimbursed out-of-pocket losses fairly traceable to the breach (bank fees, credit-monitoring costs, interest on payday loans, and similar items).
- One year of one-bureau Essential identity theft monitoring, with automatic enrollment for class members.
- A $10 voucher redeemable toward an eyeglass purchase at any Asheville Eye Associates location, automatically issued to every class member.
Attorneys’ fees are capped at $500,000, administration costs at $53,000, and the five class representatives receive $1,250 service awards each. Enrollment codes expire 90 days after notice distribution. Compensation distributions begin only after final approval and any appeals are resolved. The settlement website is AEADataSettlement.com.
About DragonForce
DragonForce is a Ransomware-as-a-Service (RaaS) group that first emerged in 2023. As of early 2026, the group has listed at least 363 victims on its Data Leak Site, targeting organizations across the United States, United Kingdom, and Germany. DragonForce is known for double-extortion tactics: stealing data before encrypting it and threatening public release if the ransom goes unpaid. Paubox’s reporting notes that DragonForce subsequently claimed RansomHub’s infrastructure when that group went offline in April 2025 and defaced the rival BlackLock leak site. The practice has not publicly stated that the incident was a ransomware attack, but has not disputed DragonForce’s claim.
Class-action posture
The case caption is In re Asheville Eye Associates Data Incident Litigation, Case No. 2025CV000809-100, pending in the North Carolina Business Court (a specialized superior-court division). The complaint, originally led by Woodsmall v. Asheville Eye Associates, asserts negligence, negligence per se, unjust enrichment, breach of implied contract, and breach of confidence. Milberg Coleman Bryson Phillips Grossman, PLLC is named class counsel per Blue Ridge Public Radio’s reporting; Strauss Borrelli, Edelson Lechtzin, Chimicles Schwartz Kriner & Donaldson-Smith, Markovits Stock & DeMarco, Pittman Dutton Hellums Bradley & Mann, and Migliaccio & Rathod ran public investigations into the breach.
The HHS Office for Civil Rights investigation status is not separately published; the OCR portal entry remains posted.
What to do if you may be affected
Given the disconnect between the entity’s narrow exposure summary and the broader DragonForce leak-site reporting, plan as though sensitive identifiers were exposed:
- Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new account fraud. This is the single highest-leverage step if SSNs are in play.
- Check the settlement website at AEADataSettlement.com. The claim submission deadline was April 6, 2026; if you submitted a claim, monitor for distribution notices after final court approval. If you did not submit a claim, you may still enroll in the one-year identity theft monitoring as an automatic benefit for non-excluded class members.
- Enroll in the one-year identity theft monitoring offered through the settlement if you have not already done so. One-bureau coverage is thin given the leak-site scope; pair it with the credit freeze above.
- Watch for medical identity theft. Request copies of your Explanation of Benefits from health insurers. Verify the listed claims are yours. Report anything unfamiliar to your insurer and to HHS OCR.
- Request an IRS Identity Protection PIN at irs.gov/ippin. If SSNs were in fact exposed, tax-refund fraud is a leading attack pattern.
- Former employees and physicians: review your professional credentials and HR records. The leaked data reportedly includes passports, professional license numbers, HR documentation, and payment information for staff. Contact the relevant licensing boards if you suspect misuse.
- Be skeptical of inbound calls, texts, or emails referencing the breach. Threat actors routinely follow large leaks with targeted phishing using the leaked identifiers.
- Stop the ongoing flow of your eye care and vision records. HealthConsent files HIPAA restriction requests so the ophthalmology and medical treatment data exposed in this breach is not continuously re-shared with insurers, affiliated providers, and data brokers across health information networks.
Sources
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Asheville Eye Associates Hacking Incident Impacts 205K Patients
- HIPAA Journal — Asheville Eye Associates Settles Lawsuit Stemming from DragonForce Ransomware Attack
- BankInfoSecurity — 2 Eye Care Practice Hacks Affect 260,000 Patients, Staff
- Blue Ridge Public Radio — Data breach at Asheville medical provider prompts class action lawsuit
- ClassAction.org — Asheville Eye Associates Data Breach Settlement Offers Vouchers, Reimbursement, Identity Theft Protection
- ClassAction.org — Asheville Eye Associates Data Breach Lawsuit Investigation
- Strauss Borrelli PLLC — Asheville Eye Associates Data Breach Investigation
- Edelson Lechtzin LLP — Asheville Eye Associates, PLLC class action investigation
- Markovits, Stock & DeMarco — Asheville Eye Associates, PLLC Data Breach Class Action Investigation
- Mastodon (HHS Breach Tracker) — Asheville Eye Associates filing
- SecurityWeek — Asheville Eye Associates Says 147,000 Impacted by Data Breach
- Paubox — Asheville Eye Associates to pay $500k following ransomware attack
- ComplianceJunction — Asheville Eye Associates Agrees To Settlement Following DragonForce Ransomware Data Breach
- Ransomware.live — Victim: Asheville Eye Associates (DragonForce)
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Asheville Eye Associates Hacking Incident Impacts 205K Patients
- HIPAA Journal — Asheville Eye Associates Settles Lawsuit Stemming from DragonForce Ransomware Attack
- BankInfoSecurity — 2 Eye Care Practice Hacks Affect 260,000 Patients, Staff
- Blue Ridge Public Radio — Data breach at Asheville medical provider prompts class action lawsuit
- ClassAction.org — Asheville Eye Associates Data Breach Settlement Offers Vouchers, Reimbursement, Identity Theft Protection
- ClassAction.org — Asheville Eye Associates Data Breach Lawsuit Investigation
- Strauss Borrelli PLLC — Asheville Eye Associates Data Breach Investigation
- Edelson Lechtzin LLP — Asheville Eye Associates, PLLC class action investigation
- Markovits, Stock & DeMarco — Asheville Eye Associates, PLLC Data Breach Class Action Investigation
- Mastodon (HHS Breach Tracker) — Asheville Eye Associates filing
- SecurityWeek — Asheville Eye Associates Says 147,000 Impacted by Data Breach
- Paubox — Asheville Eye Associates to pay $500k following ransomware attack
- ComplianceJunction — Asheville Eye Associates Agrees To Settlement Following DragonForce Ransomware Data Breach
- Ransomware.live — Victim: Asheville Eye Associates (DragonForce)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.