Data breach at Asheville Eye Associates exposes personal information of over 147,000 individuals

North Carolina-based eye care provider Asheville Eye Associates (AEA) has confirmed that a data breach in late 2024 compromised the personal information of more than 147,000 individuals. The incident, which came to light on November 18, 2024, involved unauthorized access to AEA’s internal systems and the theft of sensitive patient data.

Following the discovery, AEA engaged third-party cybersecurity specialists to contain the breach, secure its network, and launch a comprehensive investigation. The inquiry concluded on April 14, 2025, and determined that threat actors had successfully exfiltrated a broad set of personal information, including full names, addresses, Social Security numbers, details related to medical treatments, and health insurance data.

While AEA has not publicly identified the method of intrusion, the DragonForce ransomware group has claimed responsibility for the attack. The group listed AEA on its dark web leak site in December 2024, asserting that nearly 540 gigabytes of data had been stolen and later made available online.

According to the company’s formal notification to the Maine Attorney General’s Office, 147,116 individuals are being contacted and offered complimentary identity theft protection for one year. Despite the breach’s scale, AEA has stated that, to date, it has not received any reports of identity theft stemming from the incident.

Initial reports to the U.S. Department of Health and Human Services (HHS) on January 31, 2025, indicated that 193,306 individuals were affected. That estimate was later adjusted to 204,984 before being revised to the current confirmed figure, following further investigation and data validation.

Cybersecurity analysts have raised concerns about AEA’s lack of public comment on DragonForce’s specific claims, especially given the group’s assertion that hundreds of gigabytes of patient data were leaked online. Security researchers have reached out to AEA for clarification on the scale of the breach and the veracity of the ransomware group’s claims, but the company has not responded.