Asheville – Patients of Asheville Eye Associates (AEA) fell victim to a cyber attack that compromised sensitive medical information. News sources investigating the matter have expressed frustration over AEA’s lack of transparency, despite the fact that it is customary for parties involved in ongoing investigations to refrain from commenting.
What is known is that a group called DragonForce Ransomware claimed responsibility for hacking into AEA’s databases without authorization and exfiltrating 540 GB of sensitive data, including encrypted files. In contrast to AEA’s statements, DragonForce’s website allegedly claims they stole much more. According to an individual claiming to represent DragonForce, the “ransomware group” demanded $7 million to prevent the stolen records from being posted on the dark web. They stated that AEA “made contact” with them but did not pay, resulting in the information being published in an encrypted format on an .onion blog, which is difficult for even cybersecurity experts to trace.
DragonForce emerged in 2023 and is described as having ideological roots, with some suggesting a pro-Palestine stance. This would categorize the group as “hacktivists.” However, its business model has shifted to what could be characterized as cutthroat capitalism. With a strong profit motive, the group now offers a range of services to clients, all for a fee. As expected, the group is agile, collecting 20% of ransomware payouts extorted from its clientele. The group targets anything with financial value, but a significant portion of its attacks has been directed at medical practices and law firms.
On January 31, AEA notified patients whose data was involved in the breach. They assured patients that they acted swiftly by “engaging third-party cybersecurity experts to assess, contain, and remediate the incident,” and by notifying law enforcement. AEA informed patients that the hackers had accessed their “name, address, health insurance information, and medical treatment information.” While Social Security numbers, credit card details, and other financial information did not appear to be compromised, later reports indicated that at least some Social Security numbers had also been exfiltrated.
At that time, no evidence suggested that any stolen information had been used to commit identity theft or fraud. However, AEA advised patients to carefully review medical bills and insurance statements “to ensure their accuracy,” indicating a desire for patients to avoid fraudulent charges. The notice concluded with corporate language that the average patient likely interpreted as obfuscation rather than reassurance.
A subsequent notification informed patients that an investigation concluding on April 14 had identified additional individuals whose personal data was included in the records affected by the breach. After reiterating the information from the first notice, AEA provided the standard breach response line about strengthening information storage systems and offering a free year of credit monitoring and identity theft services to those whose Social Security numbers may have been exposed. They also referred affected individuals to recommendations from the Federal Trade Commission “on how to place a fraud alert or a security freeze on your credit file.” With apologies, they assured patients that no evidence of any misuse of files had surfaced and encouraged concerned patients to call 828-210-2698 with questions.
In its initial notification to patients, AEA stated that the records of 193,306 individuals had been affected. This number was later increased to 204,984. Following “further investigation and data validation,” the number of confirmed individuals affected, as provided in the formal notification to the Maine Attorney General’s Office, was revised down to 147,116.
In a double blow to AEA, a class action lawsuit has been filed by patients claiming that the practice did not adequately safeguard personal data. The lawsuit is nationwide in scope and is attracting legal firms from as far away as Pennsylvania, Maine, and Alabama.
With 10 offices, AEA is a major player in local eye care. In addition to offering comprehensive eye exams, their website states, “Our highly-skilled physicians include every subspecialty of ophthalmology and deliver the most advanced medical and surgical eye care for all your eye care needs.”