Asheville Eye Associates, PLLC agreed to resolve litigation connected to a ransomware attack attributed to the DragonForce group that exposed patient and employee data and resulted in a class action settlement offering compensation and identity monitoring services.
Cyberattack and Data Exposure
Asheville Eye Associates network encountered a cyberattack on November 18, 2024. The organization confirmed the security incident on April 14, 2025 during an investigation of its systems.
The ransomware group identified as DragonForce claimed responsibility for the attack. The group leaked stolen information online that reportedly totaled about 540 gigabytes. The exposed information involved personal and medical data belonging to patients of the practice. The compromised records included names, email addresses, dates of birth, Social Security numbers, patient account identifiers, diagnosis information, medical treatment details, and health insurance information.
The breach affected approximately 328,000 individuals. Stolen information related to physicians and employees included addresses, phone numbers, spouse names, Social Security numbers, driver’s license details, passport data, professional licensing information, human resources documentation, and payment information.
Legal Claims Filed After The Breach
Legal actions filed after the disclosure of the breach were consolidated into a single proceeding identified as In re Asheville Eye Associates Data Incident Litigation in the General Court of Justice Superior Court Division in South Carolina. The plaintiffs alleged unjust enrichment, negligence, negligence per se, breach of implied contract, and breach of confidence in connection with the protection of personal data.
Asheville Eye Associates denied the allegations presented in the litigation. But the parties reached a settlement agreement following to resolve the dispute and avoid continued litigation and trial proceedings. Asheville Eye Associates also provided affected individuals with one-year identity theft protection services and one bureau credit monitoring.
Financial Compensation and Identity Monitoring
The terms of settlement offers several forms of relief to affected individuals. Class members may submit claims for reimbursement of documented losses connected to the data breach up to $1,250 per person. The agreement also provides a $10 voucher that may used to purchase eyeglasses at Asheville Eye Associates. Individuals requesting reimbursement must provide documentation that the losses were related to the breach.
The settlement agreement includes payment of attorneys’ fees and litigation expenses with a maximum amount of $500,000. Settlement administration costs total $53,000. Service awards for the class representatives are set at $1,250 each, for a combined total of $6,250.
The North Carolina Business Court granted preliminary approval of the settlement on November 5, 2025. Class members must submit claims, request exclusion from the settlement, or file objections by April 6, 2026. A final fairness hearing regarding the settlement is scheduled for May 14, 2026.
