CEI Vision Partners, LLC Data Breach 2025: 10,841 Affected · May 2024 Network Intrusion · Notifications Sent August 2025
CEI Vision Partners (CVP), a multi-state ophthalmology management services organization now part of EyeCare Partners, was breached when an unauthorized actor accessed its network between May 24 and May 27, 2024. CVP filed with HHS OCR reporting 10,841 affected individuals and began mailing notifications on August 18, 2025 — roughly 15 months after detection. A federal class action, Sharpe v. CEI Vision Partners, LLC (S.D. Ohio 1:25-cv-00591), was filed August 15, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 24, 2024
Attacker gained access
May 26, 2024
Breach detected
Aug 18, 2025
Disclosed publicly
May 24, 2024
Attacker gained access
May 26, 2024
Breach detected
Aug 18, 2025
Disclosed publicly
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
CEI Vision Partners, LLC (“CVP”) — a Cincinnati-headquartered ophthalmology management services organization spanning a network of more than 300 ophthalmologists and 700 optometrists, and a subsidiary of Missouri-based EyeCare Partners since 2021 — disclosed that an unauthorized third party accessed its computer network between May 24 and May 27, 2024. CVP detected the intrusion on May 26, 2024, but did not begin mailing individual notifications until August 18, 2025, roughly fifteen months after detection. CVP’s filing with the HHS Office for Civil Rights reports 10,841 affected individuals, and a federal class action, Sharpe v. CEI Vision Partners, LLC (S.D. Ohio No. 1:25-cv-00591), was filed on August 15, 2025.
Timeline
- 2024-05-24 — access: Forensic analysis later determined an unauthorized actor began accessing CVP’s network on this date.
- 2024-05-26 — detected: CVP identified suspicious activity on its network and launched an investigation with outside cybersecurity counsel.
- 2025-06-10 — other: CVP completed its extensive review and data-validation process, finalizing the affected-individual population and the specific data elements exposed.
- 2025-08-08 — filed: CVP submitted breach notice to the Montana Attorney General’s office.
- 2025-08-13 — filed: CVP submitted breach notice to the Vermont Attorney General’s office.
- 2025-08-15 — class-action: Sharpe v. CEI Vision Partners, LLC, No. 1:25-cv-00591, filed in the U.S. District Court for the Southern District of Ohio, alleging inadequate cybersecurity and a delayed notification in violation of HIPAA and state consumer protection laws.
- 2025-08-18 — notified: CVP began mailing notification letters to affected individuals and posted substitute notice.
- 2025 — filed: CVP’s breach notification appears on the HHS OCR breach portal reporting 10,841 individuals affected.
What was exposed
Per CVP’s substitute notice and state attorney general filings, the categories of information that may have been compromised include:
- Names
- Dates of birth
- Social Security numbers
- Financial account information
- Health insurance information
- Limited clinical information
CVP has stated that not all data elements were affected for all individuals, and that the specific elements exposed for each person are identified in their individual notification letter.
What the entity is offering
CVP is providing affected individuals with 12 months of complimentary Experian IdentityWorks Credit 3B identity-monitoring services, including credit monitoring across all three nationwide bureaus and identity-theft insurance. Enrollment instructions and the activation code are included in the individual notification letter. CVP also states it has implemented additional technical and administrative security measures following the incident.
Class-action posture
A proposed federal class action, Sharpe v. CEI Vision Partners, LLC, No. 1:25-cv-00591, was filed in the U.S. District Court for the Southern District of Ohio on August 15, 2025. The complaint, filed by named plaintiff Emily Sharpe and represented by Markovits, Stock & DeMarco, LLC, alleges that CVP failed to implement reasonable cybersecurity safeguards, allowed unauthorized access to sensitive patient and personal information, and unreasonably delayed notification for approximately fifteen months in violation of HIPAA standards and FTC guidance. Multiple additional firms — including Schubert Jonckheer & Kolbe LLP, Strauss Borrelli PLLC, and Barnow and Associates, P.C. — have announced investigations on behalf of affected patients. No settlement has been reached.
What to do
- Freeze your credit at all three nationwide consumer reporting agencies. With Social Security numbers and financial account information in scope, a credit freeze is the single highest-leverage protective step. It is free and reversible.
- Enroll in the Experian IdentityWorks credit monitoring offered by CVP. The activation code in your notification letter expires; activate before the deadline printed in the letter.
- Watch your explanation-of-benefits statements from your health insurer for services you did not receive. Limited clinical and insurance information in scope means medical-identity-theft signals are worth tracking, not just financial ones.
- Keep your notification letter. It identifies the specific data elements exposed for you and is the document the class action settlement administrator (if a settlement is reached) will reference.
- Be cautious of breach-themed phishing. Scammers commonly impersonate breached entities and credit-monitoring providers. CVP’s legitimate notice directs you to a specific Experian enrollment URL; verify before entering any personal information.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record listing CEI Vision Partners, LLC and 10,841 affected individuals.
- HIPAA Journal — Large Vision Care Provider Announces Breach of Patient Data — independent reporting on the entity, dates, exposed-data categories, and notification timing.
- ClassAction.org — CEI Vision Partners Data Breach Exposes SSNs, Medical Info — data elements, Vermont AG filing date, and class-action investigation status.
- PR Newswire — PRIVACY ALERT: CEI Vision Partners Under Investigation — Schubert Jonckheer & Kolbe class-action investigation announcement.
- Strauss Borrelli PLLC — CEI Vision Partners Data Breach Investigation — exposed-data list and 18-state operating footprint context.
- Schubert Jonckheer & Kolbe — CEI Vision Partners Investigation — class-action investigation notice and notification-delay analysis.
- Law.com Radar — Sharpe v. CEI Vision Partners, LLC — docket record for the S.D. Ohio class action (Case No. 1:25-cv-00591).
- Barnow and Associates — CEI Vision Partners Data Breach Investigation — corroborating exposed-data categories and incident dates.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Large Vision Care Provider Announces Breach of Patient Data
- ClassAction.org — CEI Vision Partners Data Breach Exposes SSNs, Medical Info
- PR Newswire — PRIVACY ALERT: CEI Vision Partners Under Investigation for Data Breach
- Strauss Borrelli PLLC — CEI Vision Partners Data Breach Investigation
- Schubert Jonckheer & Kolbe — CEI Vision Partners Investigation
- Law.com Radar — Sharpe v. CEI Vision Partners, LLC
- Barnow and Associates — CEI Vision Partners Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.