North Carolina eye care center Asheville Eye Associates (AEA) is notifying roughly 147,000 individuals that their personal information was stolen in a November 2024 data breach.
The incident, the company says, was detected on November 18, after a threat actor gained access to its network and exfiltrated certain files from its systems.
“We quickly engaged third-party specialists to assist us with securing the network environment and investigating the incident,” the company informed the impacted individuals.
The investigation into the stolen data, it says, was concluded on April 14, 2025, and determined that personal information such as names, addresses, Social Security numbers, treatment details, and health insurance information was stolen in the attack.
“As of this writing, we have not received any reports of identity theft related to this incident,” AEA writes in the notification letter to the impacted individuals, a copy of which was submitted to the Maine Attorney General’s Office.
The eye care center initially disclosed the incident on January 31, when it notified the US Department of Health and Human Services that 193,306 people were affected. Subsequently, that number was updated to 204,984.
Now, the company says it “identified additional individuals whose personal information was contained in the affected records”, but it told the Maine AGO that notification letters were sent to 147,116 people, who are being offered 12 months of free identity theft protection services.
AEA has not shared details on the type of cyberattack it suffered, but the DragonForce ransomware gang added the eye care firm to its Tor-based leak site in December, claiming the theft of nearly 540 GB of data. The group has since made the data available publicly.
SecurityWeek has contacted Asheville Eye Associates for clarification on the number of impacted individuals and confirmation on DragonForce’s claims and will update this article if the company responds.
Related: Hackers Stole 300,000 Crash Reports From Texas Department of Transportation
Related: Anubis Ransomware Packs a Wiper to Permanently Delete Files
Related: MainStreet Bank Data Breach Impacts Customer Payment Cards
Related: Cartier Data Breach: Luxury Retailer Warns Customers That Personal Data Was Exposed
