Naper Grove Vision Care data breach: what happened and why it matters

Naper Grove Vision Care (NGVC) is a small optometry practice based in Naperville and Downers Grove, Illinois. A notice posted on the firm’s website explained that it has been providing eye‑care services since 1949 and currently operates two clinics staffed by more than ten employees. NGVC provides routine eye exams, contact‑lens fittings, pediatric eye care and other vision‑care services. Because it is a healthcare provider, NGVC is subject to the Health Insurance Portability and Accountability Act (HIPAA) and must report breaches of protected health information to the U.S. Department of Health and Human Services (HHS).

The incident

According to NGVC’s breach notice, the company detected unusual network activity on 24 May 2025 and immediately engaged independent cybersecurity experts to investigate. The investigation confirmed that an unauthorized third party gained access to NGVC’s computer network and exfiltrated sensitive data. A file review showed that the stolen information included patients’ names, addresses, birth dates, driver’s‑license numbers, patient numbers, health‑insurance information, explanation‑of‑benefits documents and medical condition or treatment information; a limited number of patients also had their Social Security numbers compromised. NGVC began analyzing the data to determine which individuals were affected and posted a public notice on its website.

The organization reported the breach to HHS on 10 July 2025, listing 501 affected individuals—likely a placeholder count because entities must report breaches affecting more than 500 people without delay. HIPAA Journal notes that the incident has been logged with the Office for Civil Rights (OCR), which enforces HIPAA compliance.

Ransomware involvement

While NGVC’s notice did not initially mention ransomware, subsequent reporting revealed that the Interlock ransomware group claimed responsibility for the attack. HIPAA Journal reported on 23 July 2025 that Interlock had added Naper Grove Vision Care to its data‑leak site and claimed to have stolen 214 GB of data across 32,971 folders and 656,891 files. The cyber‑criminals subsequently released the entire cache of stolen data, suggesting that NGVC did not pay the ransom. Paubox’s coverage confirms that Interlock publicized the attack on its dark‑web leak site on 2 June 2025 and threatened to release or sell the data unless a ransom was paid. Interlock is a relatively new ransomware gang known for double extortion—stealing data and encrypting systems to exert pressure on victims to pay. CISA issued an advisory warning that the group, which emerged in September 2024, has increasingly targeted healthcare organizations.

Types of data exposed

The information stolen during the NGVC breach is particularly sensitive. According to the breach notice and subsequent analyses:

• Personal identifiers: Names, addresses and dates of birth of current and former patients.

• Government‑issued IDs: Driver’s‑license numbers and, in some cases, Social Security numbers.

• Medical identifiers: Patient numbers and health‑insurance information, including explanation‑of‑benefits documents.

• Health information: Medical conditions and treatment details.

Strauss Borrelli PLLC’s investigation notice emphasized that the exposed data could be used for identity theft and medical‑identity fraud.

Impact and response

NGVC has advised affected patients to monitor their bank accounts and credit reports and to report any suspicious activity to law enforcement. Notably, there is no mention of complimentary credit‑monitoring services in NGVC’s substitute breach notice. Paubox suggests that the final number of affected individuals may exceed the placeholder figure of 501, and the company may update its report once the analysis is complete. NGVC has begun mailing letters to impacted individuals and is reviewing its security measures to prevent similar incidents.

Broader context

This breach is part of a broader pattern of ransomware attacks targeting healthcare organizations. Interlock has attacked other healthcare providers, including a Texas medical group where 1.4 million individuals had their data stolen. Healthcare entities are attractive targets for ransomware gangs because they hold sensitive personal and medical data and may be more likely to pay ransoms quickly to resume patient care. The NGVC breach underscores the importance of robust cybersecurity controls, regular network monitoring and comprehensive incident‑response plans.

What patients should do

Victims of the NGVC breach should take proactive steps to minimize the risk of identity theft:

1. Review the breach notice: Affected individuals should carefully read NGVC’s notice to understand what information was compromised and the steps the company recommends.

2. Monitor accounts: Keep a close eye on bank and credit‑card statements, insurance Explanation‑of‑Benefits statements and medical bills, and report any unauthorized transactions immediately.

3. Change passwords and enable multi‑factor authentication: Update passwords for online accounts, especially if similar credentials were used across services. Enable multi‑factor authentication where available.

4. Place a credit freeze or fraud alert: Contact the major credit bureaus to freeze your credit or add a fraud alert to prevent the opening of new accounts in your name.

5. Watch for phishing: Be cautious of unsolicited emails, phone calls or texts requesting personal information; threat actors may use stolen data to craft convincing phishing messages.