On September 3, 2025, Tri-Century Eye Care, an ophthalmology practice in Pennsylvania, detected suspicious network activity. A subsequent investigation confirmed a **PEAR ransomware attack** that compromised **personal and protected health information (PHI)** of both **patients and employees**. The breach exposed highly sensitive data, including **names, Social Security numbers, dates of birth, medical/health records, health insurance details, billing/payment information, and tax/financial data**. The ransomware group **exfiltrated files** before encrypting systems, posing severe risks such as **identity theft, financial fraud, and exposure of confidential medical histories**. While the exact number of affected individuals remains undisclosed, the incident involved **current and former patients and employees**, amplifying the scope. The company responded by securing its environment, engaging cybersecurity experts, notifying law enforcement, and implementing stricter security measures like **access restrictions, password policies, and offline data storage**. The breach’s fallout extends beyond financial and reputational damage, as victims face long-term vulnerabilities from exposed PHI, including potential **medical identity fraud and targeted scams**. The involvement of a **known ransomware group** further escalates the threat severity, given their history of exploiting stolen data for extortion or sale on dark web markets.
Source: https://www.claimdepot.com/data-breach/tri-century-eye-care-2025
The HIPAA Journal cybersecurity rating report: https://www.rankiteo.com/company/hipaa-journal
"id": "hip4392143111025",
"linkid": "hipaa-journal",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Not publicly disclosed '
'(current/former patients and '
'employees)',
'industry': 'Ophthalmology',
'location': 'Pennsylvania, USA',
'name': 'Tri-Century Eye Care',
'type': 'Healthcare Provider'}],
'attack_vector': 'Malicious software infiltration',
'customer_advisories': ['Review notices from Tri-Century Eye Care',
'Monitor for identity theft/financial fraud',
'Consider credit freezes/fraud alerts',
'Avoid sharing personal info in response to '
'unsolicited contacts'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 'Not publicly disclosed',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs, medical records, '
'financial data)',
'type_of_data_compromised': ['Personal Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-09-03',
'date_publicly_disclosed': '2025-10-30',
'description': 'On Sept. 3, 2025, Tri-Century Eye Care detected suspicious '
'activity within its internal network. An investigation '
'confirmed a data breach on Sept. 19, 2025, compromising '
'personal and protected health information (PHI) of patients '
'and employees. The PEAR ransomware group claimed '
'responsibility, announcing on Sept. 18, 2025, that they had '
'exfiltrated sensitive data. The breach exposed names, Social '
'Security numbers, dates of birth, medical/health information, '
'health insurance details, billing/payment information, and '
'tax/financial data. The incident poses risks of identity '
'theft, financial fraud, and exposure of sensitive medical '
'information.',
'impact': {'brand_reputation_impact': 'High (sensitive PHI exposed)',
'data_compromised': ['Names',
'Social Security numbers',
'Dates of birth',
'Medical/health information',
'Health care treatment/diagnostic information',
'Health insurance information',
'Billing/payment information',
'Tax/financial information'],
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': ['Internal network']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (claimed by PEAR '
'group)',
'high_value_targets': ['Patient PHI',
'Employee PII']},
'investigation_status': 'Completed (as of public disclosure)',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Enhanced password policies',
'Reduced access permissions',
'Offline storage for older '
'data']},
'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'PEAR'},
'recommendations': ['Monitor financial accounts and credit reports for '
'identity theft',
'Place fraud alerts/credit freezes with credit bureaus',
'Beware of phishing (unsolicited emails/calls requesting '
'personal info)',
'Review notices from Tri-Century Eye Care'],
'references': [{'date_accessed': '2025-10-30',
'source': 'Tri-Century Eye Care Website Notice'},
{'date_accessed': '2025-09-18',
'source': 'PEAR Ransomware Group Dark Web Forum Post'}],
'regulatory_compliance': {'regulations_violated': ['Likely HIPAA (Health '
'Insurance Portability and '
'Accountability Act)']},
'response': {'communication_strategy': ['Website notice (Oct. 30, 2025)',
'Toll-free call center (800-405-6108, '
'Mon-Fri 8 a.m.–8 p.m. ET)',
'Advisories for monitoring financial '
'accounts/credit reports',
'Fraud alert/credit freeze '
'recommendations'],
'containment_measures': ['Secured environment'],
'enhanced_monitoring': 'Implemented (post-breach)',
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Stronger password requirements',
'More frequent password changes',
'Reduced access permissions',
'Offline storage of older data'],
'third_party_assistance': ['Cybersecurity experts']},
'stakeholder_advisories': ['Toll-free call center for questions '
'(800-405-6108)',
'Guidance on fraud prevention and credit '
'monitoring'],
'threat_actor': 'PEAR ransomware group',
'title': 'Tri-Century Eye Care Data Breach and Ransomware Attack (2025)',
'type': ['Data Breach', 'Ransomware Attack']}