Asheville Eye Associates recently began notifying individuals who were impacted by a cybersecurity incident.
The company filed a report with the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), confirming the breach impacted 193,306 past and present patients.
Asheville Eye Associates has been a leading eye care center in North Carolina for over 50 years, offering services including surgery, eyelid reconstruction, pediatric care, and more. With a strong reputation in the community, a proactive response can help ensure Asheville Eye Associates remains a cornerstone for eyecare in North Carolina.
According to their notice, published on January 31st, 2025, once the practice discovered an incident had impacted their IT systems, they immediately used third-party cybersecurity experts to assess, contain, and remediate the incident.
The investigation determined that accessed information includes names, addresses, health insurance information, and for some, medical treatment information. Financial information and Social Security numbers were not part of the breach.
In their notice to the HHS, the incident was described as a “Hacking/IT Incident” on a network server. While Asheville Eye Associates was impacted and reported the breach, it doesn’t mean their security system was not necessarily the one that was compromised. It’s becoming more and more common for vendors to ultimately be responsible for breaches, although this information is unlikely to become public unless Asheville Eye Associates undergoes a public investigation.
In their notice, the company said that the investigation “has not identified any instances of fraud or identity theft that have occurred as a result of this incident.” However, the practice still recommends individuals review any statements received to ensure accuracy.
“AEA takes its responsibility to safeguard personal information seriously and regrets any concern that this incident may have caused,” the team said. “The organization has reviewed and enhanced its data security practices in order to help reduce the likelihood of a similar event in the future.”
Now that patients are beginning to be notified, Asheville Eye Center will likely soon have a larger understanding of the breach’s impact, including if it impacted patients enough to start a class action lawsuit. These suits are increasingly common and can impact the finances and reputations of organizations. In some cases, devastating breaches can even result in permanent healthcare facility closures.
Asheville has faced other struggles in recent months; in September, 2024, North Carolina was devastated by Hurricane Helene, which continues to impact the community despite recovery efforts. Data breaches, on top of other current events, can add more financial burdens to individuals and organizations impacted.
Related: HIPAA Compliant Email: The Definitive Guide.