Data breach at Asheville medical provider prompts class action lawsuit
By Laura Hackett
May 22, 2025 at 4:47 PM EDT
A class action lawsuit is moving forward against an Asheville medical provider over a data breach affecting about 193,000 patients.
The lawsuit consolidated the cases of five former Asheville Eye Associates patients who allege their data was compromised in November 2024.
Robert Woodsmall, a former patient, alleged in his original complaint that the ophthalmology practice failed to use reasonable security procedures and properly secure and safeguard private information.
Patient data such as names, addresses, health insurance information and medical treatment information were exposed, according to the complaint.
DragonForce Ransomware, a cyber group, took responsibility for the online attack. In an interview with Suspect File, an anonymous representative from DragonForce said it demanded a $7 million ransom for the non-disclosure of data that included classified medical information and patient contact information.
Asheville Eye Associates, one of the largest ophthalmology practices in the region, did not pay the ransom, so the documents were uploaded to an encrypted DragonForce website known as an “.onion blog,” according to Suspect File.
The company operates 10 eye centers in the region. It learned of the incident in late December and engaged third-party experts and consultants to contain and investigate the attack, according to the complaint.
Asheville Eye Associates maintained that “patient Social Security numbers, credit card numbers, and financial information were not exposed as a result of this incident,” but recommends that its patients renew all statements from the practice to ensure they are accurate and do not contain any unauthorized charges.
In an order issued this week, the N.C. Business Court appointed Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman, PLLC as interim lead class counsel for the plaintiffs.
A page on the company’s website that included information about the data breach has been taken down. An archived version of the page from February includes a press release about the data breach.
Asheville Eye Associates did not respond to multiple requests for comment.
The lawsuit consolidated the cases of five former Asheville Eye Associates patients who allege their data was compromised in November 2024.
Robert Woodsmall, a former patient, alleged in his original complaint that the ophthalmology practice failed to use reasonable security procedures and properly secure and safeguard private information.
Patient data such as names, addresses, health insurance information and medical treatment information were exposed, according to the complaint.
DragonForce Ransomware, a cyber group, took responsibility for the online attack. In an interview with Suspect File, an anonymous representative from DragonForce said it demanded a $7 million ransom for the non-disclosure of data that included classified medical information and patient contact information.
Asheville Eye Associates, one of the largest ophthalmology practices in the region, did not pay the ransom, so the documents were uploaded to an encrypted DragonForce website known as an “.onion blog,” according to Suspect File.
The company operates 10 eye centers in the region. It learned of the incident in late December and engaged third-party experts and consultants to contain and investigate the attack, according to the complaint.
Asheville Eye Associates maintained that “patient Social Security numbers, credit card numbers, and financial information were not exposed as a result of this incident,” but recommends that its patients renew all statements from the practice to ensure they are accurate and do not contain any unauthorized charges.
In an order issued this week, the N.C. Business Court appointed Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman, PLLC as interim lead class counsel for the plaintiffs.
A page on the company’s website that included information about the data breach has been taken down. An archived version of the page from February includes a press release about the data breach.
Asheville Eye Associates did not respond to multiple requests for comment.