Massive data breach at Ocuco Inc. exposes health information of nearly 241,000 individuals

Ocuco Inc., a global provider of optical software solutions headquartered in Dublin, has reported a major data breach impacting the protected health information of 240,961 individuals. The disclosure was made in a breach notification submitted to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) on May 30, 2025.

The company, which operates extensively in the United States through its Florida-based subsidiary, is known for its Acuitas practice management and electronic health record software. This system is used widely across thousands of eye care practices, optical retailers, clinics, and lens manufacturing laboratories.

According to the OCR breach report, the incident is classified as a hacking event targeting network servers. While Ocuco has yet to release detailed information regarding the breach, evidence points to a ransomware attack attributed to Killsec, also known as Kill Security. Despite its self-identification as a hacktivist group, Killsec is believed to function as a financially driven ransomware-as-a-service operation, with a history of targeting both public and private sector entities.

The breach came to wider attention when Killsec listed Ocuco on its dark web leak site on April 1, 2025. The appearance of downloadable data from the breach on that site indicates that Ocuco may not have complied with ransom demands, and the attackers followed through with their threat to release stolen files.

Screenshots published on the leak site show a range of compromised data, including business documents, patient appointment records, and folders linked to clients in the U.S. and Canada. Notable organizations mentioned in the breach include Costco, HoustonEye, Kaiser, Mayo Clinic, Optos, and Specsavers, among others.

Although independent confirmation of the availability of protected health information on the dark web remains pending, the filing with the HHS indicates that such information was indeed exposed in the attack. The breach has already prompted legal scrutiny, with multiple law firms launching investigations into potential class action litigation on behalf of affected individuals.

As of now, Ocuco has not issued a public statement elaborating on the extent of the breach, the nature of the data compromised, or any measures being taken in response.