Asheville Eye Associates Hacking Incident Impacts 205K Patients
Asheville Eye Associates has announced a data breach affecting 193,000 patients, Moses-Weitzman Health System has confirmed employee data was compromised in the cyberattack that affected more than 1 million Community Health Center patients, and the Chicago Department of Public Health says patient data was exposed online.
Asheville Eye Associates
Asheville Eye Associates, an eye care provider serving patients in Western North Carolina, has recently disclosed a security incident involving the personal and protected health information. The breach was initially reported to the HHS’ Office for Civil Rights as affecting 193,306 patients, although the total has now been updated to 204,984 individuals. According to its website breach notice, law enforcement was notified about the cyberattack, and third-party cybersecurity experts were engaged to investigate the security incident and determine the nature and scope of the unauthorized activity.
The investigation confirmed that patient data such as names, addresses, health insurance information, and medical treatment information were exposed. At the time of issuing notification letters, no evidence of misuse of the stolen data had been identified. Asheville Eye Associates has recommended that the affected patients review the statements received from their healthcare providers and insurers to ensure they are accurate and do not contain any unauthorized charges.
The January 31, 2025, breach notice does not state when the breach was detected or when it occurred; however, the DragonForce ransomware group claimed responsibility for the attack and said the attack occurred in November 2024. The group claims to have exfiltrated 540 GB of data and then encrypted files. A spokesperson for DragonForce said Asheville Eye Associates made contact but communications stopped and no ransom was paid. The group claims on its data leak site that a much more extensive collection of data was exfiltrated; however, Asheville Eye Associates maintains that “patient Social Security numbers, credit card numbers, and financial information were not exposed as a result of this incident.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Moses-Weitzman Health System
Moses-Weitzman Health System, a Connecticut health system providing primary care to 150,000 patients and specialty care to more than 2.5 million patients, has notified the Maine Attorney General about a data breach. Unusual activity was identified within its computer network on January 2, 2025. A third-party digital forensics firm was engaged the same day to investigate and determine the nature and scope of the activity and confirmed that a sophisticated criminal actor had accessed its IT environment, made a copy of data, and exfiltrated that information. No information was deleted and files were not encrypted. This is the same cyberattack that was reported separately by Community Health Center in Connecticut, which affected more than 1 million of its patients.
Moses-Weitzman Health System said the incident affected current and former employees, including employees of its affiliates Community Health Center, Community eConsult Network, National Institute for Medical Assistant Advancement, National Nurse Practitioner Residency and Fellowship Training, and Consortium (aka Consortium for Advanced Practice Providers). The HR system was not accessed, and only “limited credentialing information may have been acquired,” as well as information stored in “employee network storage. The hacker did not steal information such as addresses, dates of birth, Social Security numbers, compensation, direct deposit, offer letters, or performance information. Notification letters have been sent to all current and former employees (3,766 individuals) even though the files did not include information on all (or even most) current or former employees. Identity theft protection services have been offered.
Chicago Department of Public Health
The Chicago Department of Public Health (CDPH) has recently announced that patient data was exposed online last year. On or around October 8, 2024, CDPH learned that patient information used to generate statistics related to public health and safety had been exposed via an online dashboard. When visiting the dashboard, if the visitor took certain steps, they may have been able to view individuals’ names and medical information.
An investigation was launched when the issue was discovered and all public access to the dashboard has now been disabled. Policies and procedures relating to use of dashboards and statistical tools have been reviewed to ensure that similar incidents are prevented in the future. The Chicago Department of Public Health is now notifying the affected individuals and has offered complimentary credit monitoring and identity theft protection services for 12 months. The number of affected individuals has not yet been disclosed.
