San Diego Eye Bank Hit by Pear Ransomware Attack

What Happened in the Breach

San Diego Eye Bank, a 501(c)(3) nonprofit that has provided corneal and ocular tissue to restore sight since 1959, discovered in February 2026 that an intruder had compromised its network. Public reporting indicated that the Pear ransomware group — which styles itself as “Pure Extraction And Ransom” (PEAR), infiltrated the eye bank’s systems, accessed sensitive data and threatened to leak it unless contacted. 

An investigative note on Mason LLP’s case page says the organization became aware of unauthorized access to its systems in February 2026 and that the attack was attributed to the Pear group, which claimed responsibility and published information about the intrusion. 

Threat‑intelligence trackers like DeXpose reported that on February 8 2026 Pear announced a successful breach of San Diego Eye Bank’s domain (sdeb.org) and threatened to release sensitive data. The publicly available information suggests that the attack targeted the eye bank’s IT infrastructure and that sensitive personal and health‑related information may have been accessed.

Timeline: From First Access To Latest Update

• February 4, 2026 (Estimated): Ransomware.live’s Pear victim list shows an estimated attack date of February 4, 2026, which suggests initial access around this time. The Pear group’s average delay between intrusion and public claim is around 33 days, so intrusion could have occurred earlier.
• February 8, 2026 (Disclosure on leak site): DeXpose reported that on February 8, 2026, Pear claimed it breached San Diego Eye Bank and threatened to leak data unless demands were met. HookPhish and Ransomware.live records place discovery or public disclosure on February 8, 2026, matching that report.
• February 8 to 9, 2026 (Discovery by monitoring services): BreachSense lists discovery on February 9, 2026 and names San Diego Eye Bank as a PEAR ransomware victim, with limited intrusion detail. HookPhish lists discovery on February 8, 2026 and repeats the estimated February 4, 2026 attack date.
• February 2026 (Recognition of incident): Mason LLP stated that San Diego Eye Bank identified a data security incident in February 2026 involving unauthorized system access. The firm said Pear claimed responsibility and published breach information.
• As of February 22, 2026 (Latest public update): No official statements appeared from San Diego Eye Bank, regulators, or law enforcement as of February 22, 2026. Public reporting did not name the number of affected individuals or describe ransom negotiations.

What Data Or Systems Were Affected

San Diego Eye Bank’s mission involves recovering, processing and distributing corneal and ocular tissues for transplant and research. The organization works with hospitals and eye surgeons across Southern California, and its systems likely contain sensitive donor, patient and employee information. Mason LLP warns that the compromised data may include personal identification details such as names, addresses, email addresses, phone numbers and Social Security numbers. 

While the full scope remains unknown, exposure of medical or donation records could reveal health conditions, tissue‑matching data, financial details and other protected health information (PHI). Threat‑intelligence sources have not provided evidence that the eye bank’s core transplant database was encrypted, but the Pear group’s ransom posts typically indicate that data has been exfiltrated and encrypted simultaneously to maximise extortion leverage.

Given the absence of official disclosure, it is uncertain whether backup systems were impacted or whether the eye bank’s clinical operations were disrupted. However, in similar Pear attacks on Tri‑Century Eye Care in September 2025, intruders accessed files containing names, birthdates, Social Security numbers, medical and diagnostic information, insurance details and financial records. 

The Tri‑Century case involved more than 3 terabytes of stolen data and affected roughly 200,000 people. These figures illustrate the potential scale of data theft when PEAR targets healthcare providers, although there is no confirmation that San Diego Eye Bank’s breach reached similar levels.

Who Was Responsible (Confirmed Vs Alleged)

The Pear ransomware group publicly claimed responsibility for the San Diego Eye Bank intrusion. Ransomware.live describes the group as a private and “strictly disciplined” team called “Pure Extraction And Ransom (PEAR),” emphasising that it does not associate itself with other threat actors. The platform lists San Diego Eye Bank as one of 57 victims identified between August 2025 and February 2026. 

The group’s top targeted sectors include healthcare, business services and manufacturing, and more than 53 of its known victims are located in the United States. PEAR’s average dwell time, the delay between initial compromise and public disclosure, is approximately 33 days, suggesting a deliberate reconnaissance phase before ransom demands are published.

Although Pear’s claims are widely reported by threat‑intel aggregators, there is no independent confirmation that the group accessed San Diego Eye Bank’s systems. No law enforcement agency has publicly attributed the attack, and the eye bank has not issued a statement verifying the gang’s involvement. 

In other attacks, such as the Tri‑Century Eye Care breach, the Pear group posted evidence of data exfiltration on its dark‑web leak site, but the organization’s official notice emphasised that electronic medical records were not compromised. Without similar disclosures from San Diego Eye Bank, Pear’s role remains alleged, albeit credible given the group’s modus operandi.

How The Attack Worked

Detailed technical information about the San Diego Eye Bank intrusion has not been published. However, analyses of the Pear ransomware group provide insight into its tactics. The group describes itself as a private operation focusing on targeted attacks, with an emphasis on data exfiltration followed by extortion. 

Paubox notes that PEAR generally operates with long dwell times, averaging 41 days between initial access and public disclosure, which allows attackers to explore networks, steal data, and identify backup systems.

The group primarily targets healthcare organizations, business services and manufacturing, and its campaigns often involve credential compromise through phishing or exploitation of insecure third‑party integrations and application programming interfaces (APIs). After obtaining foothold, PEAR typically harvests sensitive files, encrypts local data and threatens to leak the stolen information unless a ransom is paid.

Industrial Cyber’s ransomware trend report highlights that PEAR is among several emerging ransomware groups that focus on data theft and extortion rather than purely encrypting systems. In one early case, PEAR claimed to have stolen 2 terabytes of data from West Chester Township’s government systems. 

The group uses dedicated onion‑service websites for communication and leak posting. Since the attack on San Diego Eye Bank was first publicised on the group’s leak site rather than through the organization itself, it is reasonable to infer that the intruders followed this standard pattern: infiltrate via credential theft or software vulnerability, exfiltrate data, encrypt systems and then post a ransom note on the leak site when negotiations failed or stalled.

Impact and Risks for Customers

Although San Diego Eye Bank has not publicly quantified the breach, the potential impact for donors, transplant recipients, employees and healthcare partners is significant.

The eye bank’s systems likely contain personally identifiable information (PII) and protected health information (PHI) such as names, addresses, contact details, Social Security numbers, tissue donor IDs and medical histories. 

Mason LLP warns that compromised information could be misused for identity theft or fraud if exposed. In similar PEAR incidents, stolen medical records were sold or published, exposing sensitive diagnostic and insurance data and causing victims to suffer financial losses and credit damage.

The unauthorized disclosure of donor or recipient information could also erode trust in the eye bank, potentially reducing organ and tissue donations.

Beyond data exposure, ransomware attacks on healthcare providers often disrupt services. Tri‑Century Eye Care, another PEAR victim, reported that its clinical operations remained unaffected, but other healthcare providers such as hospitals have experienced appointment cancellations and delays due to system lockdowns. 

If San Diego Eye Bank’s clinical or administrative systems were encrypted, transplant scheduling and donor matching could have been interrupted, affecting patients awaiting corneal transplants. The risk of extortion extends beyond initial ransom demands; leaked data may be circulated on the dark web and used by other criminals for phishing or social engineering campaigns, increasing long‑term harm.

Company Response And Customer Remediation

At the time of writing, San Diego Eye Bank had not issued a public statement addressing the ransomware incident. Mason LLP’s notice states that the organization became aware of the data‑security incident in February 2026 and that the specific information affected was still under investigation. 

The law firm urges potentially affected individuals to remain vigilant and monitor their accounts for suspicious activity. There is no evidence that the eye bank has provided identity‑theft protection, credit monitoring or other remediation services to potential victims. Attorneys at Mason LLP and other firms have launched investigations into the breach and are encouraging affected individuals to join potential class‑action lawsuits.

In the absence of an official response, recommended best practices for customers and donors include monitoring credit reports, freezing credit if necessary, changing passwords, enabling multi‑factor authentication on online accounts and being cautious of unsolicited communications referencing the eye bank. Healthcare entities often cooperate with regulators and law enforcement after ransomware incidents; however, no such collaboration has been publicly confirmed.

Government, Law Enforcement, And Regulator Actions

As of February 22 2026, there have been no announcements by federal or state regulators regarding the San Diego Eye Bank breach. Data breaches affecting California residents typically require notification under the state’s data security breach law, which mandates reporting to the Attorney General when more than 500 individuals are impacted. 

The California Office of the Attorney General’s breach database does not yet list an entry for San Diego Eye Bank, suggesting that either the incident has not been officially reported or the number of affected individuals remains below the reporting threshold. Similarly, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) — which maintains a “Wall of Shame” for healthcare breaches — has not posted a notice related to the eye bank. Local law enforcement agencies have not released statements about investigations or possible arrests connected to the incident.

Financial, Legal, And Business Impact

Financial repercussions for San Diego Eye Bank are difficult to quantify without official statements, but ransomware incidents typically impose significant costs. Expenses may include forensic investigations, system restoration, security upgrades, legal fees and potential ransom payments. 

The law firm Mason LLP has indicated it is investigating a class‑action lawsuit on behalf of individuals whose data may have been exposed. Healthcare data breach cases often result in settlements or verdicts requiring organizations to provide credit monitoring, cash compensation and enhanced security measures. For example, Tri‑Century Eye Care, another PEAR victim, faces claims from lawyers representing approximately 200,000 impacted individuals.

A successful class action against San Diego Eye Bank could result in financial damages that strain the nonprofit’s resources. Additionally, the breach may affect donor confidence, leading to decreased donations and financial support. The incident underscores the vulnerability of small and medium‑sized healthcare organizations, which often operate with limited cybersecurity budgets but handle highly sensitive data.

What Remains Unclear About the Incident

1. Scope of Data Exposure: No official notification has been issued to quantify how many donors, recipients, employees or partners are affected. The types of data confirmed to be compromised have not been publicly detailed.
2. Method of Intrusion: There is no forensic report describing whether attackers exploited a vulnerability, used stolen credentials or leveraged a third‑party vendor. PEAR’s general tactics suggest phishing or API exploitation, but specifics are unconfirmed.
3. Operational Disruption: It remains unclear whether the attack disrupted transplant services or other critical operations. Without confirmation from the eye bank, it is unknown if backups were used to restore systems or whether any ransom was paid.
4. Regulatory and Law Enforcement Response: As of late February 2026, no regulatory filings or law enforcement statements have been made public. It is unclear when or if the organization will notify regulators, which could trigger investigations and potential fines.
5. Ransom Negotiation: There is no evidence of ransom demands or negotiations. PEAR typically posts data after unsuccessful negotiations, but the status of any communication between the eye bank and the attackers has not been disclosed.

Why This Incident Matters

The San Diego Eye Bank breach highlights the escalating threat of ransomware against nonprofit healthcare organizations. Though the eye bank is a relatively small player compared with large hospital systems, it handles highly sensitive donor and patient information and provides critical services that restore sight to individuals across Southern California. 

The attack demonstrates that specialized healthcare providers are not immune to sophisticated extortion campaigns. It also underscores a broader trend: cybercriminal groups like PEAR increasingly target healthcare entities because stolen medical data commands high value on the black market and ransomware disruptions can quickly jeopardize patient care, increasing pressure to pay. The absence of timely disclosure from the eye bank also illustrates how victims sometimes struggle to balance transparency with operational recovery and legal considerations.

For the cybersecurity community, the incident serves as a cautionary tale about supply‑chain and third‑party risks. Healthcare providers often rely on a network of vendors for billing, scheduling and electronic health records; attackers can exploit weak links in this ecosystem to gain access. Ensuring robust incident detection, timely patching, secure integrations and employee training is essential to mitigate these risks. The case also underscores the importance of regulatory compliance and reporting, especially in jurisdictions like California that impose strict breach‑notification rules.

Bright Defense: Proactive Protection Through Pen Tests and Continuous Compliance

Small healthcare nonprofits like San Diego Eye Bank face tough security pressures because tight budgets and older systems collide with high value data and complex workflows. Bright Defense helps reduce ransomware risk with penetration testing and network security assessments that surface weaknesses across web apps, APIs, and infrastructure. 

We then help teams prioritize fixes, tighten security controls, and prepare response plans. Bright Defense supports ongoing compliance work tied to HIPAA, California breach notice requirements, and insurer expectations, while keeping staff training and readiness on track.

Sources

1. Mason LLP — San Diego Eye Bank Data Breach Class Action (February 11 2026)
   https://www.masonllp.com/case/san-diego-eye-bank-data-breach-class-action/
2. DeXpose — Pear Ransomware Strikes San Diego Eye Bank (February 8 2026)
   https://www.dexpose.io/pear-ransomware-strikes-san-diego-eye-bank/
3. Ransomware.live — PEAR Group Overview and Victim List (accessed February 22 2026)
   https://www.ransomware.live/group/pear
4. Ransomware.live — Victim Entry for San Diego Eye Bank (accessed February 22 2026)
   https://www.ransomware.live/group/pear (victim list table)
5. HookPhish — Ransomware Group PEAR Hits San Diego Eye Bank (February 8 2026)
   https://www.hookphish.com/blog/ (recorded discovery and attack dates)
6. BreachSense — San Diego Eye Bank Data Breach in 2026 (February 9 2026)
   https://www.breachsense.com/breaches/san-diego-eye-bank-data-breach/
7. Paubox — Tri‑Century Eye Care Hit by PEAR Ransomware Attack (November 13 2025)
   https://www.paubox.com/blog/tri-century-eye-care-hit-by-pear-ransomware-attack
8. SC Media — Nearly 200K Impacted by Tri‑Century Eye Care Breach (December 9 2025)
   https://www.scworld.com/brief/nearly-200k-impacted-by-tri-century-eye-care-breach
9. SecurityWeek — Tri‑Century Eye Care Data Breach Impacts 200,000 Individuals (December 8 2025)
   https://www.securityweek.com/tri-century-eye-care-data-breach-impacts-200000-individuals/
10. Industrial Cyber — Comparitech Reports Ransomware Attacks Rose for a Second Month (September 3 2025)
    https://industrialcyber.co/control-device-security/comparitech-reports-ransomware-attacks-rose-for-a-second-month-hitting-healthcare-manufacturing-food-sectors/
11. San Diego Eye Bank — About Us (accessed February 22 2026)
    https://www.sdeb.org (provides background on the eye bank’s mission since 1959)