In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Turn AI Into Your Income Stream
The AI economy is booming, and smart entrepreneurs are already profiting. Subscribe to Mindstream and get instant access to 200+ proven strategies to monetize AI tools like ChatGPT, Midjourney, and more. From content creation to automation services, discover actionable ways to build your AI-powered income. No coding required, just practical strategies that work.
Tri-Century Eye Care Data Breach Exposes 200,000+ Patient Records in Targeted Ransomware Attack
Tri-Century Eye Care, a Pennsylvania-based healthcare provider, has disclosed a data breach impacting roughly 200,000 individuals, following a ransomware intrusion attributed to the Pear cybercriminal group. While electronic medical records were not directly compromised, attackers accessed files containing highly sensitive personal, financial, and medical information. The stolen data — more than 3 terabytes, according to the attackers — has since been publicly leaked.
Context
Healthcare remains one of the most heavily targeted sectors for ransomware operations due to its concentration of high-value data and operational urgency. Eye care providers, despite their specialized focus, often maintain vast repositories of protected health information (PHI), making them attractive targets for threat actors seeking financial leverage through extortion.
Tri-Century Eye Care operates multiple clinics in Bucks County, Pennsylvania, and provides a wide range of diagnostic and treatment services. The organization detected unusual activity on September 3, 2025, prompting a forensic investigation and regulatory notifications.
What Happened
Investigators confirmed that while Tri-Century’s core electronic medical records system was not breached, attackers accessed other network files containing sensitive information. The exposed data may include:
Names
Dates of birth
Social Security numbers
Medical and diagnostic information
Treatment details
Insurance data
Payment and financial information
Tax-related identifiers
The U.S. Department of Health and Human Services (HHS) breach portal now lists the incident as affecting approximately 200,000 individuals.
The Pear ransomware gang claimed responsibility, alleging theft of more than 3 terabytes of HR files, financial documents, operational records, emails, and patient PHI. The group later posted the stolen data online, indicating that Tri-Century declined to pay ransom demands.
Technical Breakdown
While Tri-Century has not publicly disclosed specifics of the intrusion, indicators point to a standard ransomware playbook:
Initial Access: Likely via stolen credentials, remote access system exploitation, or phishing.
Lateral Movement: Attackers located and accessed non-EMR file repositories containing PHI.
Data Exfiltration: Large-scale extraction of unencrypted data prior to ransomware deployment.
Extortion: Pear gang attempted ransom negotiations; Tri-Century did not comply.
Leak: Full dataset released on Pear’s extortion site.
The attack aligns with Pear’s historical tactics of large-volume data theft and aggressive public exposure.
Impact Analysis
The consequences of this breach are substantial:
Mass identity theft risk stemming from exposed SSNs and financial identifiers.
Long-term medical privacy concerns, including diagnostic histories and treatment plans.
Regulatory exposure under HIPAA and state data protection laws.
Operational disruption, though EMR integrity was preserved.
Community trust erosion, particularly given the nature of eye care services relying on continuity.
This incident also reinforces that attackers increasingly target secondary data stores outside EMR systems, which often lack the same level of encryption or monitoring.
Why It Matters
Healthcare organizations continue to struggle with legacy systems, minimal segmentation, and uneven patching practices. This breach highlights three critical realities:
Ransomware groups target any provider, regardless of size or specialization.
Non-EMR systems can contain massive amounts of PHI, often without equivalent safeguards.
Refusal to pay ransom — while ethically aligned — often leads to full data exposure, escalating long-term risks for victims.
Tri-Century joins a growing list of eye care providers affected this year, including Ocuco, Asheville Eye Associates, and Retina Group of Florida.
Expert Commentary
Cybersecurity analysts emphasize that:
Data governance is now just as critical as perimeter defense.
Backup and segmentation strategies must include secondary file shares, archives, and legacy systems.
Healthcare-specific threat groups are increasingly disciplined, patient, and capable of multi-stage intrusions.
Pear ransomware’s strategy is consistent with broader industry patterns: steal first, encrypt second, leak quickly.
Key Takeaways
Tri-Century Eye Care breach impacts ~200,000 individuals.
Attack attributed to Pear ransomware group.
Over 3 terabytes of data allegedly stolen and publicly leaked.
Sensitive PHI and financial data exposed, despite EMR not being breached.
Highlights weaknesses in non-EMR data stores and secondary systems.
Healthcare sector continues to face disproportionate ransomware risk.
Strong segmentation, least-privilege controls, and continuous monitoring remain essential.