An ophthalmology practice in Wisconsin is reviewing exposed records after attackers published sample data online.
Valley Eye Associates, an ophthalmology and optometry practice based in Appleton, Wisconsin, disclosed that it experienced a ransomware incident in early October 2025. According to the disclosure notice, the intrusion occurred between October 8 and October 9 and involved unauthorized access to internal systems and documents. The Qilin ransomware group later posted screenshots and sample files on its dark web site, indicating that patient and employee information may have been accessed.
Evidence shared by the attackers suggests that a range of personally identifiable and health-related information was present in the compromised files. Screenshots reviewed online appeared to include names, addresses, government identification details, and medical records. While the total number of affected individuals has not yet been confirmed, the presence of both clinical and administrative data increases the scope of the incident. Ransomware groups such as Qilin typically exfiltrate data before encryption, using public disclosure as leverage. Valley Eye Associates said it is continuing a detailed review of the exposed documents to determine exactly which individuals and data elements were involved.
Valley Eye Associates said it acted quickly after detecting unauthorized access and initiated its incident response procedures. In a notice posted on its website, the practice said it “promptly took steps to terminate the unauthorized access, launched an investigation, reported the incident to law enforcement, and engaged a national cybersecurity firm to assist in assessing the scope of the incident.” Valley Eye Associates said it is preparing individual notification letters in accordance with state law and federal health privacy requirements, which will explain what information was involved and provide a dedicated support line. The organization also said it has implemented additional safeguards within its systems and advised patients and staff to remain alert for unusual financial or medical account activity.
Cybernews describes Qilin as a Russia-based ransomware group that emerged in 2022 and quickly gained momentum, claiming responsibility for 45 attacks the following year. Its activity accelerated sharply in 2024, with reported victims increasing to 179, before surging again in 2025. Cybernews noted that Qilin’s victim count has quadrupled this year, representing one of the fastest growth rates seen among active ransomware operations. Recent attacks have affected large international firms, including Asahi Holdings and Volkswagen Group France, where attackers allegedly stole roughly 2,000 files totaling 150GB of data. The pace and scale of Qilin’s expansion show how rapidly ransomware groups are growing their reach, with targeted attacks across both health, industrial, and corporate environments.
Ransomware has become the leading cause of healthcare data breaches, driving the majority of large-scale patient data exposures. An academic study published in JAMA Network Open found that ransomware attacks have exposed the records of at least 375 million individuals since 2010. While ransomware incidents make up a smaller share of total breach reports, they account for a disproportionate number of affected patients, largely due to a handful of massive attacks. Researchers noted that data theft and public disclosure tactics, now common among ransomware groups, have shifted these incidents from short-term disruptions into long-lasting privacy events.
Medical records combine identity details with treatment information, which can be misused for fraud, impersonation, or false insurance claims.
Public samples suggest access occurred, but a full forensic review is required to determine the complete scope and number of affected individuals.
They should review notification letters carefully, monitor medical and financial statements, and watch for communications that reference recent eye care visits.
Yes. Administrative systems frequently store staff records alongside patient files, which can expose both groups during a single incident.
Reviewing unstructured files and determining exposure can take several months, especially when data was accessed or copied by attackers.