Asheville Eye Associates has agreed to settle a class action lawsuit stemming from a November 2024 ransomware attack that exposed sensitive personal and medical data belonging to hundreds of thousands of patients. The settlement offers up to $1,250 in out-of-pocket reimbursement per class member, one year of credit monitoring through Kroll, and a $10 eyeglasses voucher at any Asheville Eye location. Claims are open now and must be submitted by April 6, 2026, either online or by mail.
The breach, carried out by the ransomware group DragonForce, resulted in nearly 540 GB of stolen data — including Social Security numbers, treatment details, and health insurance information. AEA initially reported 147,116 affected individuals, but the settlement class has since expanded to cover up to 327,756 people. If you received a notice or believe your data was held by Asheville Eye Associates, this article walks through what happened, what you can claim, and exactly how to file before the deadline.
Table of Contents
- What Happened in the Asheville Eye Associates Ransomware Attack?
- How Much Can You Claim in the AEA Data Breach Settlement?
- Who Is Eligible for the Asheville Eye Associates Settlement?
- How to File Your Claim Before the April 2026 Deadline
- Why the DragonForce Data Publication Makes This Breach More Serious
- What Happens at the Final Approval Hearing in May 2026?
- Lessons from Healthcare Data Breaches and What to Watch For
What Happened in the Asheville Eye Associates Ransomware Attack?
On November 18, 2024, an unauthorized party accessed Asheville Eye Associates’ network and exfiltrated files containing patient and employee data. The ransomware group DragonForce claimed responsibility the following month, stating it had stolen nearly 540 GB of information. DragonForce demanded $7 million in ransom. AEA made initial contact with the group but stopped communicating, and no ransom was paid. AEA’s internal investigation concluded on April 14, 2025, confirming the scope of the compromised data: names, addresses, Social Security numbers, treatment details, health insurance information, and settlement class size of 327,756 is worth noting. Breach notifications often undercount the true scope early on, which is why settlements frequently cover a broader class than what appears in the original disclosure.
How Much Can You Claim in the AEA Data Breach Settlement?
Class members can submit claims for up to $1,250 in documented out-of-pocket expenses directly caused by the breach. That includes costs like credit monitoring services you purchased on your own, bank fees from fraudulent transactions, time spent dealing with identity theft, and other verifiable losses tied to the November 2024 incident. You will need documentation — receipts, bank statements, or other records showing the expense and its connection to the breach. All class members are also entitled to one year of Essential Monitoring through Kroll, which provides one-bureau credit monitoring. This benefit is available regardless of whether you file a claim for out-of-pocket expenses, so even if you have not experienced any financial harm yet, you should enroll.
Additionally, every class member receives an automatic $10 voucher for eyeglasses at any Asheville Eye Associates location. However, if your losses exceed $1,250, this settlement will not make you whole. The per-person cap is firm, and there is no provision for extraordinary damages. If you suffered significant identity theft — say, someone opened credit accounts in your name using the stolen Social Security numbers — the settlement reimbursement may cover only a fraction of what you spent resolving it. In that situation, you may want to consult an attorney about whether pursuing an individual claim makes sense, though opting out of the settlement to do so carries its own risks.
Who Is Eligible for the Asheville Eye Associates Settlement?
The settlement class covers up to 327,756 individuals whose personal information was compromised in the November 2024 breach. If you were a patient or employee of Asheville Eye Associates and received a notification letter about the breach, you are almost certainly a class member. Even if you did not receive a notice but believe your data was held by AEA around the time of the attack, you may still be eligible.
For example, if you had an eye exam at any Asheville Eye Associates location in the years leading up to November 2024 and provided your Social Security number or insurance information, your data may have been in the exfiltrated files. The fact that AEA’s initial count of 147,116 grew to a settlement class of 327,756 suggests the breach reached further into their records than first acknowledged. If you are uncertain about your eligibility, calling the settlement administratorsettlement administrator[contact via the official settlement website] is the most direct way to confirm.
How to File Your Claim Before the April 2026 Deadline
Claims must be submitted by April 6, 2026. You can file online through the official settlement website at [aeadatasettlement.com](https://www.aeadatasettlement.com/) or mail a physical claim form postmarked by that date. Online submission is faster and provides immediate confirmation, while mailing a form introduces the risk of postal delays — if you are filing close to the deadline, online is the safer choice. When filing for out-of-pocket reimbursement, gather your documentation before starting. You will need to describe each expense, provide the amount, and attach supporting records.
Generic claims without documentation are likely to be reduced or denied. If you are only enrolling in the free credit monitoring through Kroll and claiming the $10 eyeglasses voucher, the process is simpler since those benefits do not require proof of financial loss. One practical note: do not wait until early April to file. Settlement websites sometimes experience heavy traffic near deadlines, and procrastination can turn a five-minute process into a missed opportunity. The claim form is available now, and there is no benefit to waiting.
Why the DragonForce Data Publication Makes This Breach More Serious
Not all data breaches carry the same level of risk. In many ransomware incidents, the stolen data stays within criminal networks — sold or traded in private forums where access is limited. The Asheville Eye Associates breach crossed a more dangerous threshold. After AEA stopped communicating and refused to pay the $7 million ransom, DragonForce published the stolen data publicly. That means Social Security numbers, medical records, and insurance details for hundreds of thousands of people became available to anyone, not just sophisticated cybercriminals. This distinction matters for class members assessing their own risk.
If your data was in the breach, the exposure is not theoretical — the information is out there. Standard credit monitoring, like the one-bureau Essential Monitoring offered through this settlement, provides alerts but does not prevent misuse. You should consider placing a credit freeze with all three major bureaus (Equifax, Experian, and TransUnion), which is free and blocks new accounts from being opened in your name. A freeze is a stronger protective measure than monitoring alone, and nothing in the settlement prevents you from doing both. The type of data exposed also raises long-term concerns. Social Security numbers do not expire, and medical information — treatment details, physician records — can be used for medical identity theft, where someone receives healthcare under your name. That form of fraud is harder to detect and more difficult to unravel than financial identity theft.
What Happens at the Final Approval Hearing in May 2026?
The court has scheduled a Final Approval Hearing for May 14, 2026, at 10:00 a.m. ET in the North Carolina Business Court, Buncombe County. At that hearing, the judge in case number 25CV000809-100, titled *In re Asheville Eye Associates Data Incident Litigation*, will decide whether to grant final approval to the settlement.
If approved, the claims process moves forward and payments are distributed. If the judge raises objections or a significant number of class members file formal objections, the timeline could shift. Class members do not need to attend the hearing, but anyone who wants to object to the settlement terms must do so before the applicable deadline outlined in the settlement notice. If you believe the settlement is inadequate — for example, if you think the $1,250 cap is too low given the severity of the breach — filing an objection is the mechanism for raising that concern with the court.
Lessons from Healthcare Data Breaches and What to Watch For
Healthcare providers remain among the most targeted organizations for ransomware attacks because they hold exactly the kind of data criminals value most: Social Security numbers, insurance details, and medical records bundled together. The Asheville Eye Associates case follows a familiar pattern — a breach occurs, notification is delayed while the investigation runs, and the true scope turns out to be larger than initially reported. AEA’s numbers nearly doubled from the initial disclosure to the settlement class.
For anyone affected by this breach, the priority now is twofold: file your claim before April 6, 2026, and take independent steps to protect your identity beyond what the settlement provides. Credit freezes, monitoring your explanation of benefits statements for unfamiliar medical charges, and reviewing your credit reports annually are all low-effort, high-value habits. Settlements like this one provide some compensation, but the burden of ongoing vigilance falls on the individual.