Tri-Century Eye Care has suffered a ransomware attack by the PEAR group, resulting in unauthorized access to sensitive patient and employee information.
In early September 2025, the Pennsylvania-based ophthalmology practice Tri-Century Eye Care detected suspicious activity within its network on September 3rd. Two weeks later, on September 19th, an investigation confirmed unauthorized access to patient and employee files.
The hacker group known as PEAR posted evidence of the intrusion on the dark web on September 18-19, signalling their responsibility.
According to Claim Depot, the exposed information may include names, Social Security numbers, dates of birth, health-care treatment/diagnostic data, insurance/billing/payment details, and tax/financial information. The exact number of individuals impacted remains unknown.
In its official notice, Tri-Century Eye Care stated that on September 3, 2025, it “identified suspicious activity within our network, and promptly took steps to secure the environment and launched an investigation.” With assistance from cybersecurity experts, the practice later learned that “an unknown actor gained unauthorized access to our network and acquired files” on September 19, 2025. Tri-Century emphasized that “there was no evidence of any access to our current electronic medical records system,” suggesting that its main patient database was not compromised.
In response, the eye-care provider said it had “implemented additional measures to enhance network security and minimize the risk of a similar incident occurring in the future,” which include “stronger password requirements, more frequent required password changes, reduced access permissions, and offline storage of older data.” Tri-Century also confirmed that it had “notified the Department of Health and Human Services and the FBI and will cooperate with any resulting investigation.” To support affected individuals, the organization “established a toll-free call center” and advised patients to consider protective actions such as monitoring credit reports and placing fraud alerts.
According to Ransomware Live, the Pure Extraction and Ransom (PEAR) Team identifies itself as a “private team” that is “highly responsible and strictly disciplined,” claiming to have “nothing [in] common with any other threat actors.” Despite this self-description, the group has been linked to a series of targeted cyberattacks across multiple sectors. PEAR primarily focuses on healthcare, business services, manufacturing, and technology, with healthcare organizations featuring prominently among its victims. As of the latest update, Ransomware Live reports 44 known victims attributed to the group, with the United States accounting for most of the attacks, highlighting PEAR’s growing footprint and continued threat to essential industries.
Key characteristics
Ransomware attacks on healthcare organizations have serious operational and privacy consequences. According to Paubox, citing the HHS Office for Civil Rights (OCR), such attacks have surged by 264% since 2018, reflecting growing threats to the sector. When systems are locked or data is stolen, hospitals and clinics can face service disruptions, delayed treatments, and even risks to patient safety.
Beyond disrupting care, these incidents expose protected health information (PHI). Due to the exposure of PHI, healthcare breaches can trigger HIPAA investigations and costly penalties, while patient trust and data integrity suffer lasting damage. The Tri-Century Eye Care incident shows how even smaller, specialized providers remain vulnerable.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Ransomware is malicious software that encrypts an organization’s data, making it inaccessible until a ransom is paid. Attackers often also steal data before encrypting it to leverage additional pressure through threats of public exposure.
Read also: Ransomware now leads all healthcare data breaches
They should isolate affected systems to prevent spread, notify law enforcement and regulatory bodies, communicate transparently with patients and staff, and engage cybersecurity experts to investigate and remediate.
Experts generally advise against paying ransoms, as it encourages criminal activity and doesn’t guarantee data recovery or prevention of leaks. Instead, organizations should rely on backups and incident response plans.
Read also: Refusal to pay is the newest strategy to combat ransom attacks
In some cases, yes. While attackers often encrypt data, demanding ransom for the key, the extraction of data means sensitive information can be leaked or sold even if files are eventually restored.
Under HIPAA, healthcare providers must notify affected individuals, report the breach to the HHS Office for Civil Rights, and take steps to mitigate harm. Failure to comply can result in significant fines and penalties.