Active breach tracker Asheville, North Carolina Disclosed January 17, 2025

Asheville Eye Associates Data Breach 2025: 204,984 Affected After DragonForce Ransomware Attack on Western NC Ophthalmology Group

Asheville Eye Associates, PLLC disclosed a November 2024 network intrusion that exposed protected health information for 204,984 patients across its 10 Western North Carolina eye care centers. The DragonForce ransomware group claimed responsibility, posted roughly 540 GB to its leak site, and a consolidated class action settled in 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 18, 2024

Unauthorized party gains access to Asheville Eye Associates network

Nov 20, 2024

Suspicious activity identified; incident response engaged

Dec 29, 2024

DragonForce posts Asheville Eye Associates to its Tor-based leak site; data made publicly available (per ransomware.live)

Jan 17, 2025

Initial HIPAA breach report filed with HHS OCR (193,306 individuals)

Jan 17, 2025

Disclosed publicly

Jan 31, 2025

Substitute breach notice posted to ashevilleeye.com

Apr 14, 2025

Investigation concludes that PHI was accessed and acquired

May 22, 2025

Woodsmall v. Asheville Eye Associates filed; consolidated with related cases in NC Business Court

Jun 13, 2025

Individual notification letters mailed to affected patients

Jul 1, 2025

OCR portal count updated to 204,984 individuals

Nov 5, 2025

Preliminary approval of class-action settlement

Apr 6, 2026

Claim submission, objection, and exclusion deadline

May 14, 2026

Final fairness hearing scheduled

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth (per leaked-data reporting; not confirmed by entity) Social Security number (per leaked-data reporting; entity disputes) Physician PII including driver's licenses, passports, and professional licenses (per leaked-data reporting)

02

Health records

Don't expire and can't be reissued

Medical treatment information Diagnosis information (per leaked-data reporting; not confirmed by entity)

03

Contact & insurance

Phishing + targeted scams

Full name Address Health insurance information Email address (per leaked-data reporting; not confirmed by entity) Patient account number (per leaked-data reporting; not confirmed by entity)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Milberg Coleman Bryson Phillips Grossman, PLLC Strauss Borrelli PLLC Edelson Lechtzin LLP Chimicles Schwartz Kriner & Donaldson-Smith LLP Markovits, Stock & DeMarco, LLC Pittman Dutton Hellums Bradley & Mann Migliaccio & Rathod LLP
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Asheville Eye Associates, PLLC, a 10-clinic ophthalmology and vision care group serving Western North Carolina from its Asheville headquarters, disclosed a November 2024 network intrusion that the DragonForce ransomware group has claimed responsibility for. The practice filed its initial HIPAA breach report with HHS OCR on January 17, 2025 at 193,306 individuals, then updated the OCR portal to 204,984 affected individuals as the forensic review concluded. A consolidated class action filed in the North Carolina Business Court received preliminary settlement approval on November 5, 2025; the final fairness hearing was scheduled for May 14, 2026.

Timeline

  • November 18, 2024 — An unauthorized party gains access to the Asheville Eye Associates computer network. Per the DragonForce leak-site post, the attackers used a double-extortion tactic: exfiltrating roughly 540 GB before encrypting systems.
  • November 20, 2024 — Suspicious activity is identified on the network and incident response is engaged.
  • December 29, 2024 — DragonForce adds Asheville Eye Associates to its Tor-based leak site (confirmed by ransomware.live). The group subsequently made the full data set publicly available, indicating the ransom demand went unpaid.
  • January 17, 2025 — Asheville Eye files an initial HIPAA breach report with HHS OCR listing 193,306 individuals and Network Server as the breach location.
  • January 31, 2025 — A substitute breach notice is posted on ashevilleeye.com. Reporting from BankInfoSecurity and HIPAA Journal notes the notice does not include the incident or discovery date.
  • April 14, 2025 — The forensic investigation concludes that protected health information was accessed and acquired during the intrusion.
  • May 2025 — Robert Woodsmall files Woodsmall v. Asheville Eye Associates, PLLC in the North Carolina Business Court. The court consolidates this and four related cases brought by former patients into In re Asheville Eye Associates Data Incident Litigation, Case No. 2025CV000809-100.
  • June 13, 2025 — Asheville Eye mails individual notification letters to affected patients.
  • July 2025 — The OCR portal entry is updated to 204,984 individuals, the final confirmed count.
  • November 5, 2025 — The North Carolina Business Court grants preliminary approval of the class-action settlement.
  • April 6, 2026 — Deadline for class members to submit a claim, object, or opt out.
  • May 14, 2026 — Final fairness hearing scheduled.

What was exposed

Asheville Eye Associates’ own notification letter limits the confirmed exposure to four categories: name, address, health insurance information, and medical treatment information. The practice states that “patient Social Security numbers, credit card numbers, and financial information were not exposed as a result of this incident.”

DragonForce’s leak-site post tells a broader story. SuspectFile and ClassAction.org reporting describes a sample that includes patient emails, dates of birth, Social Security numbers, patient account numbers, and diagnosis information. ComplianceJunction’s March 2026 coverage of the settlement additionally reports that the leaked data included employee and physician records containing addresses, phone numbers, spouse names, Social Security numbers, driver’s license details, passport data, professional licensing information, HR documentation, and payment information. SecurityWeek confirmed that DragonForce made the data publicly available on its leak site. The practice has not publicly reconciled the gap between its own narrow notice disclosure and the broader leak-site scope. ComplianceJunction estimated that the breach affected roughly 328,000 individuals total when counting employees alongside HIPAA-covered patients; the OCR-confirmed figure of 204,984 reflects covered individuals under HIPAA. Until the scope is fully adjudicated, patients and former employees alike should plan defenses for the broader leak-site categories.

What Asheville Eye is offering

Under the preliminarily approved settlement, class members are eligible for:

  • Up to $1,250 in reimbursement for documented, unreimbursed out-of-pocket losses fairly traceable to the breach (bank fees, credit-monitoring costs, interest on payday loans, and similar items).
  • One year of one-bureau Essential identity theft monitoring, with automatic enrollment for class members.
  • A $10 voucher redeemable toward an eyeglass purchase at any Asheville Eye Associates location, automatically issued to every class member.

Attorneys’ fees are capped at $500,000, administration costs at $53,000, and the five class representatives receive $1,250 service awards each. Enrollment codes expire 90 days after notice distribution. Compensation distributions begin only after final approval and any appeals are resolved. The settlement website is AEADataSettlement.com.

About DragonForce

DragonForce is a Ransomware-as-a-Service (RaaS) group that first emerged in 2023. As of early 2026, the group has listed at least 363 victims on its Data Leak Site, targeting organizations across the United States, United Kingdom, and Germany. DragonForce is known for double-extortion tactics: stealing data before encrypting it and threatening public release if the ransom goes unpaid. Paubox’s reporting notes that DragonForce subsequently claimed RansomHub’s infrastructure when that group went offline in April 2025 and defaced the rival BlackLock leak site. The practice has not publicly stated that the incident was a ransomware attack, but has not disputed DragonForce’s claim.

Class-action posture

The case caption is In re Asheville Eye Associates Data Incident Litigation, Case No. 2025CV000809-100, pending in the North Carolina Business Court (a specialized superior-court division). The complaint, originally led by Woodsmall v. Asheville Eye Associates, asserts negligence, negligence per se, unjust enrichment, breach of implied contract, and breach of confidence. Milberg Coleman Bryson Phillips Grossman, PLLC is named class counsel per Blue Ridge Public Radio’s reporting; Strauss Borrelli, Edelson Lechtzin, Chimicles Schwartz Kriner & Donaldson-Smith, Markovits Stock & DeMarco, Pittman Dutton Hellums Bradley & Mann, and Migliaccio & Rathod ran public investigations into the breach.

The HHS Office for Civil Rights investigation status is not separately published; the OCR portal entry remains posted.

What to do if you may be affected

Given the disconnect between the entity’s narrow exposure summary and the broader DragonForce leak-site reporting, plan as though sensitive identifiers were exposed:

  1. Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new account fraud. This is the single highest-leverage step if SSNs are in play.
  2. Check the settlement website at AEADataSettlement.com. The claim submission deadline was April 6, 2026; if you submitted a claim, monitor for distribution notices after final court approval. If you did not submit a claim, you may still enroll in the one-year identity theft monitoring as an automatic benefit for non-excluded class members.
  3. Enroll in the one-year identity theft monitoring offered through the settlement if you have not already done so. One-bureau coverage is thin given the leak-site scope; pair it with the credit freeze above.
  4. Watch for medical identity theft. Request copies of your Explanation of Benefits from health insurers. Verify the listed claims are yours. Report anything unfamiliar to your insurer and to HHS OCR.
  5. Request an IRS Identity Protection PIN at irs.gov/ippin. If SSNs were in fact exposed, tax-refund fraud is a leading attack pattern.
  6. Former employees and physicians: review your professional credentials and HR records. The leaked data reportedly includes passports, professional license numbers, HR documentation, and payment information for staff. Contact the relevant licensing boards if you suspect misuse.
  7. Be skeptical of inbound calls, texts, or emails referencing the breach. Threat actors routinely follow large leaks with targeted phishing using the leaked identifiers.
  8. Stop the ongoing flow of your eye care and vision records. HealthConsent files HIPAA restriction requests so the ophthalmology and medical treatment data exposed in this breach is not continuously re-shared with insurers, affiliated providers, and data brokers across health information networks.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.