The incident appears to have been carried out by the ransomware group, Interlock.
Naper Grove Vision Care in Naperville, Illinois, recently announced it had been the victim of a data breach. The vision care provider reported the breach to the Department of Health and Human Services (HHS) on July 10th, 2025, stating that 501 individuals had been impacted–likely a placeholder value.
In their online notice, Naper Grove stated current and former patients may have had data impacted, including names, addresses, dates of birth, driver’s license numbers, patient numbers, health insurance numbers, and/or medical condition or treatment information. For some, Social Security numbers may have also been impacted.
In their notice, Naper Grove stated they first detected unusual network activity on May 24th, 2025, and immediately began working to secure its systems. They are now beginning to contact impacted individuals.
Interlock, a prominent ransomware group, publicized the attack on the Tor network on June 2nd, 2025. The malicious group threatened to release or sell the stolen data. Interlock also added Naper Grove Vision Care to its data leak site, claiming to have stolen 214 GB of data, including 32,971 folders and 656,891 files. Since then, the data has been leaked, indicating that Naper Grove refused to pay whatever ransom was demanded.
Naper Grove is far from the first victim of the Interlock ransomware gang. The group has successfully attacked multiple healthcare organizations, including an incident in Texas that resulted in 1.4 million individuals having their data stolen. The Cybersecurity & Infrastructure Security Agency recently released an advisory about Interlock, noting that the group first rose to prominence in September 2024 and appears to be specifically targeting healthcare organizations using double extortion tactics.
The HHS requires data breaches impacting over 500 to be reported. Naper Grove is likely still investigating the incident and may know that more than 500 individuals have been impacted, but may not yet know the exact number. Reporting violations in a timely manner is key, so Naper Grove may have decided to file the report now and update it once numbers are finalized.
Double extortion involves threat actors both stealing data and encrypting it, meaning that victims face increased pressure to both get the data back (which may be critical for operations) and prevent it from leaking.