Dermatology services giant operating in 17 states exposes data of 3.1 million
QualDerm, a US dermatology management services provider supporting more than 150 practices across 17 states, is notifying more than 3.1 million people after a data breach exposed medical and health insurance information.
-
A data breach at QualDerm is impacting more than 3.1 million people.
-
The stolen data includes personal information, medical diagnoses, treatment plans, and health insurance details.
-
QualDerm supports 150-plus dermatology practices across 17 states, serving nearly 1.5 million patients annually.
Unauthorized access detected in December
The operations, finance, and IT services provider, which began sending out breach notification letters to patients this week, said it first became aware of the intrusion on December 24th, 2025.
With the help of outside cybersecurity specialists, investigators determined that “an unauthorized actor accessed a limited number of systems between December 23rd and December 24th, 2025, and removed certain information stored within those systems.” QualDerm said.
The breach was also reported to the US Department of Health and Human Services (HHS) Office for Civil Rights on February 22nd, as required by federal healthcare data-breach reporting rules.
In total, data on 3,117,874 individuals was compromised in the IT hacking incident, the HHS portal shows.
Medical and insurance data exposed
Together with Pinnacle Dermatology, the national skin care and aesthetics wellness brand, supports more than 158 practices and 350 dermatology providers, serving an average of 120,000 patients per month, according to its website.
QualDerm locations span 17 states across the Northeast, South, and Midwest, including Arizona, Illinois, Ohio, Tennessee, North Carolina, Pennsylvania, Michigan, Minnesota, New Jersey, and both Virginia and West Virginia.
The company says the data affected varies by individual but may include:
- Patient name
- Email address
- Date of birth/date of death
- Doctor name
- Medical record number
- Diagnosis and treatment information
- Health insurance information
- Government-issued identification information, such as a driver’s license number
The company did not mention whether the personally identifiable information of doctors or medical staff was also exposed in the breach, nor did it say how the attackers were able to breach its systems.
According to LinkedIn, QualDerm Partners, which combined with Pinnacle Dermatology in 2022, has over 2,000 employees at its headquarters in Tennessee.
"Healthcare keeps struggling with identity because the industry has treated access management as a compliance exercise rather than a security architecture decision," says Brian Bell, CEO at FusionAuth.
Check if your data has been leaked
Bell believes the problem isn’t just that attackers can get into a network, but that once inside, there is nothing limiting what attackers can reach.
“Authorization controls, audit trails, isolated infrastructure; that’s what turns a catastrophic breach into a contained incident. Without it, you’re doing forensics on a disaster instead of preventing one,” he said.
QualDerm said it is not aware of any misuse of the information so far, but warned impacted individuals to monitor financial statements, credit reports, and explanation of benefits statements for suspicious activity.
The company said it is offering affected individuals credit monitoring and identity protection services as an added precaution.
Breach reported to US health authorities
Because the breach involves electronic protected health information (e-PHI), the incident appears on the US health department’s breach reporting portal, which tracks major healthcare data breaches affecting 500 or more individuals under HIPAA.
"This is a concerning development for QualDerm patients, as the breach exposes quite a bit of personal, medical, and identification-related information, leaving them open to possible phishing and identity theft schemes," said Chris Hauk, Consumer Privacy Champion at Pixel Privacy.
Medical records typically contain a combination of personally identifiable information, insurance details, and health data, which can be more valuable on underground markets than basic financial information alone, and can even contribute to medical fraud.
“Affected patients should keep an eye out for phishing schemes using the gleaned info and should also immediately take advantage of the free identity theft and credit monitoring services offered by the company," Hauk said.
QualDerm additionally said it has taken steps to improve security and is reviewing its data protection policies and procedures following the incident.
“We at QualDerm take this event and the security of information in our care seriously and encourage individuals to remain vigilant by reviewing account statements, Explanation of Benefits forms, and reporting all suspicious activity to the institution that issued the record,” it said.
Unlock more exclusive Cybernews content on YouTube.
