Active breach tracker Cincinnati, Ohio Disclosed August 18, 2025

CEI Vision Partners, LLC Data Breach 2025: 10,841 Affected · May 2024 Network Intrusion · Notifications Sent August 2025

CEI Vision Partners (CVP), a multi-state ophthalmology management services organization now part of EyeCare Partners, was breached when an unauthorized actor accessed its network between May 24 and May 27, 2024. CVP filed with HHS OCR reporting 10,841 affected individuals and began mailing notifications on August 18, 2025 — roughly 15 months after detection. A federal class action, Sharpe v. CEI Vision Partners, LLC (S.D. Ohio 1:25-cv-00591), was filed August 15, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 24, 2024

Attacker gained access

May 26, 2024

Breach detected

Aug 18, 2025

Disclosed publicly

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers

02

Health records

Don't expire and can't be reissued

Limited clinical information

03

Contact & insurance

Phishing + targeted scams

Names Dates of birth Financial account information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Markovits, Stock & DeMarco, LLC Schubert Jonckheer & Kolbe LLP Strauss Borrelli PLLC Barnow and Associates, P.C.
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

CEI Vision Partners, LLC (“CVP”) — a Cincinnati-headquartered ophthalmology management services organization spanning a network of more than 300 ophthalmologists and 700 optometrists, and a subsidiary of Missouri-based EyeCare Partners since 2021 — disclosed that an unauthorized third party accessed its computer network between May 24 and May 27, 2024. CVP detected the intrusion on May 26, 2024, but did not begin mailing individual notifications until August 18, 2025, roughly fifteen months after detection. CVP’s filing with the HHS Office for Civil Rights reports 10,841 affected individuals, and a federal class action, Sharpe v. CEI Vision Partners, LLC (S.D. Ohio No. 1:25-cv-00591), was filed on August 15, 2025.

Timeline

  • 2024-05-24 — access: Forensic analysis later determined an unauthorized actor began accessing CVP’s network on this date.
  • 2024-05-26 — detected: CVP identified suspicious activity on its network and launched an investigation with outside cybersecurity counsel.
  • 2025-06-10 — other: CVP completed its extensive review and data-validation process, finalizing the affected-individual population and the specific data elements exposed.
  • 2025-08-08 — filed: CVP submitted breach notice to the Montana Attorney General’s office.
  • 2025-08-13 — filed: CVP submitted breach notice to the Vermont Attorney General’s office.
  • 2025-08-15 — class-action: Sharpe v. CEI Vision Partners, LLC, No. 1:25-cv-00591, filed in the U.S. District Court for the Southern District of Ohio, alleging inadequate cybersecurity and a delayed notification in violation of HIPAA and state consumer protection laws.
  • 2025-08-18 — notified: CVP began mailing notification letters to affected individuals and posted substitute notice.
  • 2025 — filed: CVP’s breach notification appears on the HHS OCR breach portal reporting 10,841 individuals affected.

What was exposed

Per CVP’s substitute notice and state attorney general filings, the categories of information that may have been compromised include:

  • Names
  • Dates of birth
  • Social Security numbers
  • Financial account information
  • Health insurance information
  • Limited clinical information

CVP has stated that not all data elements were affected for all individuals, and that the specific elements exposed for each person are identified in their individual notification letter.

What the entity is offering

CVP is providing affected individuals with 12 months of complimentary Experian IdentityWorks Credit 3B identity-monitoring services, including credit monitoring across all three nationwide bureaus and identity-theft insurance. Enrollment instructions and the activation code are included in the individual notification letter. CVP also states it has implemented additional technical and administrative security measures following the incident.

Class-action posture

A proposed federal class action, Sharpe v. CEI Vision Partners, LLC, No. 1:25-cv-00591, was filed in the U.S. District Court for the Southern District of Ohio on August 15, 2025. The complaint, filed by named plaintiff Emily Sharpe and represented by Markovits, Stock & DeMarco, LLC, alleges that CVP failed to implement reasonable cybersecurity safeguards, allowed unauthorized access to sensitive patient and personal information, and unreasonably delayed notification for approximately fifteen months in violation of HIPAA standards and FTC guidance. Multiple additional firms — including Schubert Jonckheer & Kolbe LLP, Strauss Borrelli PLLC, and Barnow and Associates, P.C. — have announced investigations on behalf of affected patients. No settlement has been reached.

What to do

  • Freeze your credit at all three nationwide consumer reporting agencies. With Social Security numbers and financial account information in scope, a credit freeze is the single highest-leverage protective step. It is free and reversible.
  • Enroll in the Experian IdentityWorks credit monitoring offered by CVP. The activation code in your notification letter expires; activate before the deadline printed in the letter.
  • Watch your explanation-of-benefits statements from your health insurer for services you did not receive. Limited clinical and insurance information in scope means medical-identity-theft signals are worth tracking, not just financial ones.
  • Keep your notification letter. It identifies the specific data elements exposed for you and is the document the class action settlement administrator (if a settlement is reached) will reference.
  • Be cautious of breach-themed phishing. Scammers commonly impersonate breached entities and credit-monitoring providers. CVP’s legitimate notice directs you to a specific Experian enrollment URL; verify before entering any personal information.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.