HIPAA-covered entity Asheville Eye Associates agreed to a class action settlement to resolve lawsuit arising from a November 2024 cyberattack in which a ransomware actor accessed and potentially exfiltrated sensitive patient information.
Litigation Background
The settlement stems from consolidated litigation titled In Re: Asheville Eye Associates Data Incident Litigation related to a November 2024 ransomware attack that targeted Asheville Eye Associates’ computer network. Plaintiffs asserted claims including unjust enrichment, negligence, negligence per se, breach of confidence, and breach of implied contract arising from the provider’s alleged failure to safeguard private information. Asheville Eye Associates denied all claims and contentions and maintained there was no wrongdoing.
Nature of the Data Exposure
Information accessed during the cyberattack was reported to include patient names, addresses, health insurance information, and medical treatment information. The ransomware actor known as DragonForce claimed responsibility for the attack and asserted that it had exfiltrated a substantial volume of data from the provider’s systems.
Settlement Terms and Benefits
Under the terms of the settlement, Asheville Eye Associates agreed to fund various benefits for class members. Class members may submit claims for refund of documented, unreimbursed losses directly related to the data security incident, subject to a per-person maximum reimbursement amount of $1,250. All class members are eligible to enroll in one year of identity theft protection services. Settlement terms also provide that class members will automatically receive a $10 voucher that may be applied toward the purchase of eyeglasses at Asheville Eye Associates locations with the exception of the 21 Medical Park Drive, Asheville, North Carolina location.
Asheville Eye Associates agreed to pay for attorneys’ fees and expenses not to exceed $500,000, settlement administration costs of $53,000, and service awards of $1,250 total for each class representative, amounting to a combined total of $6,250 for service awards.
Administrative and Court Deadlines
The deadline for objections, requests for exclusion from the class, and submission of claim forms is April 6, 2026. The court scheduled a final fairness hearing to consider approval of the settlement for May 14, 2026 at 10:00 a.m. Eastern Time.
Scope of the Settlement Class
The settlement applies to affected individuals, commonly described as patients and possibly others whose personal health information or personally identifiable information was compromised in the November 2024 incident. The authorized settlement website materials specify that claim forms must be submitted by the April 6, 2026 deadline to qualify for benefits under the settlement.
Class Member Resources
Settlement class members may obtain information about filing claims, requesting exclusion, or filing objections through materials provided by the settlement administrator. The administrator is responsible for distributing notices that include claim forms and additional instructions consistent with the court-approved settlement process.