Asheville Eye Associates Settles Lawsuit Stemming from DragonForce Ransomware Attack
Asheville Eye Associates, an eye care provider serving patients in Western North Carolina, has agreed to settle class action litigation stemming from a November 2024 cyberattack and data breach.
A cyber threat actor accessed its network and potentially viewed or obtained patient information, including names, addresses, health insurance information, and medical treatment information. The Asheville Eye Associates data breach was reported to the HHS’ Office for Civil Rights as affecting 204,984 individuals. The DragonForce ransomware group took credit for the attack and claimed to have exfiltrated 540 GB of data before encrypting files. The data was leaked when the ransom was not paid. The affected individuals were notified about the attack in early February 2024.
Multiple lawsuits were filed in response to the data breach by plaintiffs Robert Woodsmall, Mimi Reynolds, Dena Brito, Robert Ricchetti, and Christopher Miller. The lawsuits were consolidated, In re Asheville Eye Associates Data Incident Litigation, in South Carolina’s General Court of Justice Superior Court Division. The lawsuit asserted several claims, including negligence, negligence per se, unjust enrichment, breach of implied contract, and breach of confidence. Asheville Eye Associates denies all claims and contentions in the lawsuit and maintains there was no wrongdoing.
Following mediation, all parties agreed to settle the litigation to avoid further litigation costs and expenses, and the uncertainty of a trial. Under the terms of the settlement, Asheville Eye Associates has agreed to pay for attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and several benefits for the class members.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Attorneys’ fees and expenses will not exceed $500,000, settlement administration costs are $53,000, and service awards of $1,250 per class representative (total: $6,250) have been approved. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $1,250 per class member. All class members may claim one year of identity theft protection services, and will automatically receive a $10 voucher that can be used toward the purchase of eyeglasses at any Asheville Eye Associates location (except its 21 Medical Park Drive, Asheville, North Carolina location).
The deadline for objection, exclusion, and submitting a claim is April 6, 2026. The final fairness hearing has been scheduled for May 14, 2026.
