Sensitive Patient and Employee Data Exposed in Asheville Eye Associates Cyberattack

Sensitive Patient and Employee Data Exposed in Asheville Eye Associates Cyberattack 1

This article reports on the theft of exfiltrated data from the servers of Asheville Eye Associates (AEA) last November, a ransomware cyberattack targeting the IT infrastructure claimed by the DragonForce group.

AEA is one of the leading eye care centers in North Carolina, with over 50 years of experience providing specialized services in the western region of the state. The organization operates nine eye care facilities:

  • 8 Medical Park Drive, Asheville, NC 28803
  • 21 Medical Park Drive, Asheville, NC 28803
  • 2001 Hendersonville Road, Asheville, NC 28803
  • 2311 Asheville Highway, Hendersonville, NC 28791
  • 95 Holly Springs Park Drive, Franklin, NC 28734
  • 1196 Skyland Drive, Sylva, NC 28779
  • Boone Retina Satellite: 610 State Farm Road, Boone, NC 28607
  • Clyde Retina Satellite: 486 Hospital Drive, Clyde, NC 28721
  • Hayesville Retina Satellite: 1091 Highway 64 W, Suite 2, Hayesville, NC 28904

Prior to publishing this article, SuspectFile.com attempted to contact a list of 15 physicians at the eye care center twice via email, requesting an official statement on the incident. As of now, no response has been provided, and no information about the data breach affecting patients and employees has been published on their website.

On its blog within the Tor network, DragonForce claims that the total amount of data exfiltrated from AEA’s servers amounts to nearly 540GB. SuspectFile.com has examined the data and can confirm that it includes PHI (Protected Health Information) and PII (Personally Identifiable Information) belonging to both patients treated at the medical centers and AEA employees. Below is a summary of the types of data in the hands of the cybercriminal group:

  • Patients’ full names
  • Patients’ dates of birth
  • Patients’ gender
  • Patient Account Numbers
  • Diagnosis codes
  • Diagnosis descriptions
  • Personal email addresses of patients
  • Personal and corporate email accounts
  • Residential addresses of physicians
  • Phone numbers of physicians and patients
  • Physicians’ spouses’ names
  • Copies of passports and driver’s licenses of physicians
  • Social Security Numbers (SSNs) of physicians and patients
  • Professional licenses
  • HR documents, including Short Term Disability Claim Form, Statement of Employee, and Record to Personnel File
  • Copies of health insurance policies for patients and employees
  • Diagnostic images
  • Administrative documents
  • Payment details for medical services

On December 31, we contacted DragonForce through their Tox ID and asked them several questions about the case:

SuspectFile.com: Approximately when did you enter Asheville Eye Associates IT systems?

DragonForce: About a month ago.

SuspectFile.com: Are you still inside their systems right now or did you leave a backdoor?

DragonForce: No, we finished our work and switched to other tasks.

SuspectFile.com: What is the total amount of data exfiltrated from the servers? Was the data also encrypted?

DragonForce: All the information was available, and we downloaded databases containing extensive customer information.

SuspectFile.com: In addition to the negotiation chat, was Asheville Eye Associates contacted through other channels (email, whatsapp…)?

DragonForce: They contacted us via chat, but after that they stopped contacting us. I provided them with my WhatsApp number, but they never contacted me.

SuspectFile.com: The data was only exfiltrated but not encrypted?

DragonForce: We always encrypt, and Asheville Eye Associates was no exception.

A page on the ransomware group’s blog, dedicated to this case, also features the published negotiation exchange with a negotiator from Asheville Eye Associates. We provide the full transcript of this conversation below.

2:18 AM, 20 November
Hello. You’ve been attacked by DragonForce as you can see. We’ve researched information about your company and decided to set a price of $7,000,000. Otherwise your data will be published in our blog.
4:46 PM, 20 November
Can you provide the list of files you have taken? Also what type of discounts do you offer?
8:29 PM, 20 November
list.zip2.65 MB
8:31 PM, 20 November
If you pay quickly, we can provide a 10% discount.
3:19 PM, 25 November
We need an update ASAP.
7:12 PM, 4 December
Hello sorry for the delay in responding it was Thanksgiving holiday last week so a lot of people were out. Can you provide the 3 files to prove you have them. These files: Old SPF Records.txt, 01 19 23 KNP POSTING SHEET.xlsm and Zelis Payment URL.txt
7:41 PM, 4 December
Sure.
7:42 PM, 4 December
ashvilleeyes_test.zip56.76 KB
2:05 PM, 5 December
Thanks we will review and be back in touch
6:18 PM, 5 December
Keep in mind that your decryptor will be automatically deleted in 3 days. We won’t extend timer if we not come to an agreement for these 3 days. Hurry up please.

DragonForce demanded a $7,000,000 ransom for the non-disclosure and deletion of the data, with a potential 10% discount if the eye care center paid immediately. The negotiation chat ended on December 5 when the AEA negotiator stopped responding.

What specific data has the group made public? Below are only a few examples of sensitive documents we have redacted to protect the victims’ privacy. We have chosen not to publish PHI documents related to patients and employees of Asheville Eye Associates.

The documents remain online, and anyone could download them from the cybercriminals’ .onion blog for illicit purposes, such as phishing campaigns, identity theft, and more.

Sensitive Patient and Employee Data Exposed in Asheville Eye Associates Cyberattack 2

Payment Physician AEA – Screenshot and redaction by SuspectFile.com

Sensitive Patient and Employee Data Exposed in Asheville Eye Associates Cyberattack 3

Provider AEA Addresses – Screenshot and redaction by SuspectFile.com

Among the exfiltrated documents we reviewed is an Excel file (“Arden Optical_11-15-24_01-30-59.xlsx”) listing the eye care services provided at all AEA facilities from January 2021 to January 2022. The file includes:

  • Patients’ full names
  • Reason for visit
  • Optician’s name
  • Optician’s notes
  • Facility name
  • Total number of patients treated during the period from January 2021 to January 2022
  • Number of patients treated by each optician

According to the table titled “Optician Patients All Facilities January 2021 thru January 2022” within the file, the number of patients treated during the period from April 1, 2021, to January 31, 2022, was 60,151.

Sensitive Patient and Employee Data Exposed in Asheville Eye Associates Cyberattack 4

Arden Optical_11-15-24_01-30-59.xlsx – Screenshot and redaction by SuspectFile.com

Another file, “Appointments to be entered.csv” published by the DragonForce ransomware group, contains:

  • Provider name
  • Facility
  • Appointment date
  • Appointment time
  • Duration
  • Patient name/ID
  • Phone number

The file was created by an AEA employee on October 3, 2023, and includes a list of 16,831 eye care appointments scheduled between March 13, 2023, and April 14, 2023.

Sensitive Patient and Employee Data Exposed in Asheville Eye Associates Cyberattack 5

Appointments to be entered.csv – Screenshot and redaction by SuspectFile.com

Among the files published by DragonForce are several copies of “Physician License Certificates” belonging to AEA doctors, which could be used for illegal activities. Below, we provide a redacted copy of one such certificate.

Sensitive Patient and Employee Data Exposed in Asheville Eye Associates Cyberattack 6

Screenshot and redaction by SuspectFile.com

The last redacted document we are publishing is a copy of a driver’s license belonging to an AEA employee.

Sensitive Patient and Employee Data Exposed in Asheville Eye Associates Cyberattack 7

Screenshot and redaction by SuspectFile.com

Under the Health Insurance Portability and Accountability Act (HIPAA), breaches involving Protected Health Information (PHI) affecting 500 or more individuals must be reported to the Department of Health and Human Services (HHS) within 60 days of discovering the breach.

As Asheville Eye Associates became aware of the PHI breach on or before November 20, 2024, and given that the incident involves more than 500 individuals, the organization is required to notify HHS no later than January 19, 2025, in compliance with HIPAA’s Breach Notification Rule.

SuspectFile.com will continue to monitor the situation and provide updates as new details emerge