Active breach tracker Pennsylvania Disclosed October 31, 2025

Tri-Century Eye Care Data Breach 2025 (Pear Ransomware): 200,000 Patients and Employees Exposed in PA Ophthalmology Practice Attack. What To Do

Tri-Century Eye Care PC, a Bucks County, Pennsylvania ophthalmology practice, suffered a Pear ransomware attack in September 2025 exposing 200,000 patients and employees. Data was leaked publicly. A class action is filed in Bucks County court with interim lead counsel appointed. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 3, 2025

Tri-Century Eye Care detects suspicious activity on its network and begins investigation with third-party cybersecurity specialists

Sep 3, 2025

Attacker gained access

Sep 18, 2025

Pear ransomware group publicly claims responsibility and lists Tri-Century Eye Care on its dark web leak site

Sep 19, 2025

Forensic investigation confirms an unknown actor accessed the network and acquired files containing personal and protected health information; the practice's electronic medical record system itself was not accessed

Oct 13, 2025

Shub Johns & Holbrook LLP files class action lawsuit against Tri-Century in Pennsylvania Court of Common Pleas, Bucks County (Brooks v. Tri-Century Eyecare, P.C., No. 2025-07179)

Oct 30, 2025

Tri-Century Eye Care publishes a notice of data security incident on its public website

Oct 31, 2025

Filed with HHS OCR: 200,000 affected individuals, Hacking/IT Incident on Network Server, Healthcare Provider

Nov 6, 2025

Individual notification letters begin mailing to affected patients and employees

Dec 8, 2025

Edelson Lechtzin LLP publicly announces investigation of class-action claims on behalf of affected patients and employees

Dec 15, 2025

Bucks County court consolidates related actions and appoints Benjamin F. Johns of Shub Johns & Holbrook LLP as Interim Co-Lead Counsel

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Treatment and diagnostic information

03

Contact & insurance

Phishing + targeted scams

Full name Medical and health information Health insurance information Billing and payment information Tax and financial information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Tri-Century Eye Care, P.C. is an ophthalmology practice headquartered in Southampton, Pennsylvania with multiple locations across Bucks County. On September 3, 2025, the practice detected suspicious activity on its network and began an investigation with third-party cybersecurity specialists. By September 19, 2025, the investigation confirmed that an unknown actor had accessed the network and acquired files containing personal and protected health information. The practice has stated that the intruder did not access its current electronic medical record system; the exposure involved separate files stored on the network.

On September 18, 2025, the Pear ransomware group (sometimes described as the “PEAR Team”) publicly claimed responsibility on its dark web leak site and posted samples to substantiate the claim. The group claimed to have stolen a large volume of data described as HR, financial, and business operations documents along with emails, databases, and personal and health information. Files were subsequently published on the leak site, indicating Tri-Century did not pay a ransom.

Tri-Century published a notice of data security incident on its public website on October 30, 2025, filed the breach with HHS OCR on October 31, 2025 (listing 200,000 affected individuals, “Hacking/IT Incident” at “Network Server,” with Tri-Century in the role of Healthcare Provider), and began mailing individual notification letters on November 6, 2025.

Timeline

  • September 3, 2025 — Tri-Century detects suspicious network activity and engages outside cybersecurity specialists.
  • September 18, 2025 — Pear ransomware group claims the attack and lists Tri-Century on its leak site.
  • September 19, 2025 — Forensic investigation confirms unauthorized access and file acquisition; the EMR system itself is determined to be unaffected.
  • October 30, 2025 — Tri-Century publishes a notice of data security incident on its website.
  • October 31, 2025 — HHS OCR filing: 200,000 affected, Hacking/IT Incident at Network Server.
  • October 13, 2025 — Shub Johns & Holbrook LLP files class action in Bucks County (Brooks v. Tri-Century Eyecare, P.C., No. 2025-07179).
  • November 6, 2025 — Individual notification letters begin mailing.
  • November 7, 2025 — Lynch Carpenter LLP announces it is investigating claims.
  • December 8, 2025 — Edelson Lechtzin LLP and Federman & Sherwood announce investigations.
  • December 15, 2025 — Bucks County court consolidates related actions; Benjamin F. Johns (Shub Johns & Holbrook) appointed Interim Co-Lead Counsel.

What was exposed

According to Tri-Century’s notice and follow-on reporting, the files involved in this incident contained varying combinations of the following:

  • Full name
  • Date of birth
  • Social Security number
  • Medical and health information
  • Treatment and diagnostic information
  • Health insurance information
  • Billing and payment information
  • Tax and financial information

Not every individual had every field exposed. Specific elements affecting a given person are listed in that person’s individual notification letter. Because Pear published stolen files on its leak site, the affected data should be treated as already in circulation rather than merely at risk.

What the entity is offering

Tri-Century has stated that it engaged third-party cybersecurity specialists, notified the FBI and the U.S. Department of Health and Human Services, and established a toll-free call center for affected individuals. The practice also says it has implemented stronger password requirements, more frequent password changes, reduced access permissions, and offline storage of older data.

Public sources reviewed for this page do not specify a credit-monitoring product, provider, or enrollment duration. If you received a letter, check it directly for the enrollment code and the term of any complimentary monitoring offered.

Class-action posture

At least one class action is filed and active in Bucks County, Pennsylvania.

Shub Johns & Holbrook LLP filed suit on October 13, 2025, in the Pennsylvania Court of Common Pleas, Bucks County. The case is captioned Brooks v. Tri-Century Eyecare, P.C., No. 2025-07179 (Pa. Com. Pl. Bucks Cty.). On December 15, 2025, the court consolidated related actions and appointed Benjamin F. Johns of Shub Johns & Holbrook as Interim Co-Lead Counsel for plaintiffs.

Additional firms investigating or accepting intake on behalf of patients and employees:

  • Edelson Lechtzin LLP (announced December 8, 2025)
  • Chimicles Schwartz Kriner & Donaldson-Smith LLP
  • Schubert Jonckheer & Kolbe LLP
  • Lynch Carpenter LLP (announced November 7, 2025)
  • Federman & Sherwood (announced December 9, 2025)
  • Shamis & Gentile P.A.
  • Almeida Law Group
  • Barnow and Associates, P.C.

Class members do not need to retain an individual firm to participate in any eventual class settlement; class members in a certified class typically receive notice and a claims period regardless of individual retainer status.

What to do if you may be affected

This week:

  1. Place a free credit freeze with all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). Because SSNs and full names were in the stolen files, account-takeover and new-account fraud are realistic risks. A freeze prevents new accounts from being opened in your name and is more protective than monitoring alone.
  2. Enroll in any complimentary monitoring offered in your individual notification letter. Use the enrollment code in the letter. It is free to you.
  3. If your letter mentions SSN exposure, file IRS Form 14039 (Identity Theft Affidavit) before tax-filing season to flag your SSN against fraudulent tax-refund filings, and consider placing a fraud alert with the Social Security Administration.

This month:

  1. Watch health insurance EOBs and medical bills. Because diagnostic and treatment information was in the stolen files, medical identity theft (services billed under your name and insurance) is a downstream risk that credit monitoring will not catch. Review every EOB for services you did not receive and report discrepancies to your insurer.
  2. Decide on plaintiff representation. Several firms are accepting intake. You are not required to retain any of them, and the typical class settlement compensates class members regardless of whether they signed an individual retainer.
  3. Stop the ongoing flow of your medical data. Once diagnoses and treatments are on a ransomware leak site, they get scraped, enriched, and resold by data brokers and ad-tech firms. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the medical record exposed in this breach is not continuously re-sold downstream.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.